Cephalon Engine Roadmap
Editable roadmap diagram: docs/cephalon-engine-roadmap.drawio
Planning baseline in this document reflects the repository state as of April 30, 2026.
Target outcome
Section titled “Target outcome”Cephalon should become a modular runtime platform that can:
- compose modules, capabilities, and policies deterministically
- run across multiple hosts and transports without rewriting feature code
- generate opinionated app shapes from blueprints instead of ad-hoc setup
- ship as reusable packages, templates, and samples for other teams
- grow later into package loading, workflow, orchestration, and AI-driven runtime scenarios
Current status
Section titled “Current status”The foundation is no longer hypothetical. The repository already ships:
- host-agnostic module contracts in
Cephalon.Abstractions - configuration-driven engine composition in
Cephalon.Engine - technology-profile modeling for future-facing workloads through
Engine:TechnologiesandAppProfile.Technologies - baseline companion packages for
AgenticWorkloads,EventDrivenIntegration,KnowledgeRetrieval,MultiTenancy, andEdgeNativeDelivery - assembly-based module discovery
- module and capability policy toggles through
Engine:Options - manifest v2 with engine version, module metadata, and capability source mapping
- host adapters for ASP.NET Core and generic worker hosts
- transport support for
RestApi,JsonRpc,Grpc,GraphQL,ServerSentEvents, andWebSocket - OpenAPI + Scalar for REST-facing ASP.NET Core hosts
- scaffold plans, scaffold generation, and a working CLI
- a
dotnet newtemplate-pack baseline for the shipped blueprints - starter templates and a reference package for module authoring
- an explicit package-assembly loading baseline with package manifest introspection
- a baseline trust and capability-policy surface for package trust and REST boundary enforcement
- sample apps per shipped blueprint
- runtime failure policy baseline with fail-fast, capture-only, best-effort stop, and restart guards
- operational health endpoints, diagnostics surface, and dependency-health contributor baseline for ASP.NET Core hosts
- observability conventions for logs, metrics, tracing, and telemetry export guidance
- a benchmark suite plus baseline guardrail validation for composition, strict trust-policy composition, runtime lifecycle, ASP.NET Core request logging, and scaffolding hot paths
- a GitHub Actions release-validation workflow that runs the repo-native build, test, benchmark, and guardrail flow
- a repo-native
.NETreadiness assessment flow plus a dedicated.NET 11workflow lane that keep future-SDK validation separate from the stablenet10.0shipping baseline
That changes the plan materially:
- we do not need another “start the engine” phase
- we do need an “adopt this safely outside the repo” phase
- we should prioritize SDK hardening, templates, samples, and operational polish before advanced platform features
- public-surface hardening and compatibility guidance now sit inside that shipped SDK-adoption baseline rather than as vague follow-up work
Current planning reset (April 2026)
Section titled “Current planning reset (April 2026)”The repository now has enough shipped runtime to separate three kinds of surface explicitly:
- taxonomy-only vocabulary
- catalog plus runtime truth
- managed execution or provisioning ownership
That distinction matters because some technology packs already own real execution or control-plane loops, while others currently stop at descriptors, catalogs, and truthful introspection.
The next planning wave is therefore not “add more descriptors everywhere.” It is:
- make surface maturity explicit through Engine surface maturity audit
- keep intentional
M0andM1surfaces honest instead of letting them read like unfinishedM2work - prove one narrow managed vertical slice in mixed-maturity families before widening catalog breadth; the behavior REST profile/runtime ownership, eventing core execution-binding plus abstraction-level execution-readiness catalog/operator surface, the opt-in eventing in-process subscription execution lane with bounded process-local retries and duplicate-completed execution suppression, the bounded
POST /engine/event-publicationsoperator action, the/engine/event-publications/runtime*publication runtime-state read seam, the optional Wolverine proof with bounded dispatch and subscription terminal-failure posture, agentics dispatcher plus abstraction-level run-state/operator-action, bounded process-local executor retry posture, bounded process-local duplicate-completed suppression, approval-required filter, and terminal-failure filter, and retrieval lexical index/query plus bounded query action, manual reindex, and opt-in background reindex lanes are current examples - keep
Cephalon.MultiTenancycore narrow;Cephalon.MultiTenancy.Governanceowns concrete membership, invitation, delivery dispatch/retry/status reconciliation, observation-store, tenant-administration, domain-ownership, proof-collection/polling, and governance-action proofs, while optional ASP.NET Core, HTTP delivery, SMTP delivery, SendGrid delivery, Mailgun delivery, Amazon SES delivery, Amazon SES delivery ASP.NET Core, Microsoft Graph delivery, Microsoft Graph Azure Identity, SendGrid delivery ASP.NET Core, and Mailgun delivery ASP.NET Core companions own routing, provider sender handoff, provider token-provider handoff, filtered observation rollup summaries, attention-category drill-downs, provider-message drill-downs, remediation hints, provider payload translation, optional SendGrid signed-webhook verification, bounded process-local signed-callback replay protection, observation-store-backed SendGrid event-id idempotency, optional Mailgun HMAC signed-webhook verification, bounded process-local Mailgun replay-token rejection, observation-store-backed Mailgun event-id idempotency, Amazon SES over SNS callback translation, opt-in SNS signature verification, bounded process-local SNS replay protection, observation-store-backed Amazon SNS message-id idempotency, opt-in verified SNS subscription confirmation, and opt-in verified SNS unsubscribe-confirmation observation without bloating the base pack. Actual DNS proof publication, provider-backed proof publication or mutation, remediation execution beyond state transitions, distributed or provider-backed governance storage, identity-provider synchronization, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider invitation senders, Microsoft Entra app registration/permission consent/mailbox access policy, AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox/configuration-set event destination setup, SNS topic/subscription creation, distributed retry queues, cross-node retry leases, provider-specific or distributed callback inboxes, cross-node callback replay protection, distributed event-id ledgers, provider-specific delivery-status callback payload translation beyond the shipped SendGrid/Mailgun/Amazon SES translators, provider-specific callback signature verification beyond shipped SendGrid/Mailgun/Amazon SNS hardening, provider polling, public onboarding, and tenant-admin UI/backoffice flows remain later companion-owned work - use
Cephalon.Behaviors,Cephalon.Behaviors.Http,Cephalon.Data, and the shipped edge provider packs as the current examples of truthful runtime ownership
Sprint alignment
Section titled “Sprint alignment”The project board now tracks both delivered work and upcoming work through explicit sprint buckets:
Foundation Sprint 1:ENG-000,ENG-001,ENG-002,ENG-003,ENG-004Foundation Sprint 2:ENG-006,ENG-007,ENG-008,ENG-009Foundation Sprint 3:ENG-014,ENG-015,ENG-025Adoption Sprint 0:ENG-016,ENG-017,ENG-018Operational Sprint 0:ENG-019,ENG-020,ENG-021,ENG-024,ENG-023Platform Sprint 0:ENG-012Sprint 1: deliveredENG-005,ENG-026, andENG-027, and opened the phase 2 operational gap-inventory trackSprint 2: exporter packaging is now part of the shipped phase-2 baseline, Cassandra contact-point health plus ClickHouse analytics health plus Consul control-plane health plus Elasticsearch cluster health plus HTTP external API plus Kafka broker metadata plus Memcached cache plus MongoDB plus MQTT plus MySQL plus NATS plus Neo4j plus OpenSearch plus Oracle plus Postgres plus RabbitMQ plus Redis/cache plus SQL Server dependency-health packaging anchor the provider-specific follow-through, the shared diagnostics/event-id catalog now anchors the structured diagnostics baseline, and release validation now calls out the health/export convention suite explicitlySprint 3: runtime-answers follow-through, the shipped package distribution/provenance and signer-verification follow-through underENG-011, the shippedENG-013execution-graph lifecycle/observability plus hosted-execution convention and agentic orchestration-link follow-through, the shippedENG-022suite-scaffold-shape baseline under#79, the shipped built-inMicroserviceSuitecomposition baseline under#80, the shipped multi-service suite sample baseline under#81, the shipped suite-governance and additive gateway/control-plane guidance baseline under#82, the shippedENG-029self-hosted OTLP follow-through slice, the shipped Azure Monitor first-vendor slice, the shipped AWS second-vendor slice, the shipped GCP third-vendor slice, the shipped Oracle Cloud managed-ingestion slice, the shipped DigitalOcean collector/defaults slice, the shipped VMware Tanzu proxy/defaults slice, the shipped Kubernetes collector/defaults slice, the shipped downstream Cloudflare/custom-provider authoring slice under#120, the shipped Grafana Cloud OTLP/header slice under#126, and the shipped New Relic native OTLP/api-key slice under#127Sprint 4: shippedENG-033cross-platform validation/shell parity plusENG-034first-run adoption and environment-doctor work so install, validation, and first-run guidance now hold together outside the repoSprint 5: shippedENG-035external module-package lifecycle prove-out so published packages, trust policy, and runtime introspection are exercised end to end outside the repo-local assembly pathSprint 6: shippedENG-036containerized local runtime and operations prove-out so Docker Desktop / WSL teams can validate startup, health, and telemetry handoff with a reproducible sample deployment shapeSprint 7: shippedENG-037generated-app local package-feed bootstrap follow-through so freshly scaffolded apps can restore, build, and take the documented container path from a seeded or repointed package source without repo-only NuGet knowledgeSprint 8: shippedENG-038generated-app published-output and deployment baseline so scaffolded apps now carry a deterministic folder-publish profile plus a validated smoke path from scaffold -> publish -> run from published outputSprint 9: shippedENG-039generated-app Linuxsystemddeployment baseline so scaffolded apps now also carry self-hosted service assets plus a validated WSLsystemd-analyzepath for Linux-class deployment packagingSprint 10: shippedENG-040generated-app Windows Service deployment baseline so scaffolded apps now also carry self-hosted Windows install assets plus a validated install-preview path against published output without admin-only repo validationSprint 11: shippedENG-041generated-app IIS deployment baseline so scaffolded apps now also carry hosted Windows site/app-pool assets plus a validated ANCMweb.configand install-preview path against published output without requiring a live IIS installSprint 12: shippedENG-042generated-app Azure App Service deployment baseline so scaffolded apps now also carry hosted Azure ZIP-deploy assets plus a validated run-from-package and Azure CLI preview path against published output without requiring live Azure credentialsSprint 13: shippedENG-043generated-app Azure Container Apps deployment baseline so scaffolded apps now also carry hosted Azure source-deploy assets plus a validated Dockerfile build and Azure CLI preview path from the generated app root without requiring live Azure credentialsSprint 14: shippedENG-044generated-app Kubernetes deployment baseline so scaffolded apps now also carry platform-neutral manifest/apply assets plus a validated Dockerfile build andkubectl kustomizepreview path from the generated app root without requiring a live clusterSprint 15: shippedENG-045generated-app container-image publishing baseline so scaffolded apps now also carry provider-neutral build/tag/push assets plus a validated local-registry smoke path from the generated app root without requiring a cloud-specific registry contractSprint 16: open phase 8 withENG-046,ENG-047, andENG-048so taxonomy, structured config, and host-agnostic contracts freeze before package or template drift startsSprint 17: deliverENG-049andENG-050so the relational-first data and eventing golden path exists before broader provider or security follow-throughSprint 18: deliverENG-051,ENG-052, andENG-053so identity/authorization, multi-tenancy/audit, and CLI/scaffolding/template/sample alignment land on top of the frozen phase-8 contractSprint 19: deliverENG-055andENG-056so validation, benchmarks, docs, XML comments, and reference-doc alignment close the phase-8 truthfulness gap before broader expansion claimsSprint 20: shippedENG-058 M1ABT foundation —IAppBehavior,IBehaviorContext,BehaviorDispatcher,BehaviorExecutionSlot,CompatibilityMatrix, ABT-001–ABT-006 compatibility rules, hosting — 499/499 tests (commit9d657da)Sprint 21: shippedENG-058 M2HTTP Transport Pack — 7 HTTP bindings (rest,jsonrpc,graphql,graphql-sse,graphql-ws,sse,ws),LazyTransportBinding— 516/516 tests (commitc957966)Sprint 22: shippedENG-058 M3Messaging Transport Pack — InMemory, RabbitMQ, Kafka bindings; M2 CTS leak fix — 527/527 tests (commit9183407)Sprint 23: shippedENG-058 M4Pattern Execution Strategies — 5 strategies (cqrs,event-driven,saga-step,process-manager,direct),ISagaStateStore,IProcessCheckpointStore,FrozenDictionaryregistry,IBehaviorContext.CorrelationId,IProcessCompletion— 575/575 tests (commitcc2ab0a)Sprint 24 (M5): shippedENG-058 M5Source Generator —BehaviorSourceGenerator(analyzer + incremental generator), ABT0010–ABT0013,BehaviorRegistrationHints.g.cs, 584/584 tests (commit8455b9a)Sprint 24 (M6): shippedENG-058 M6Runtime Integration —BehaviorRuntimeContributor,IBehaviorAdvisorysystem,IBehaviorContext.EventStore,BehaviorDiagnostics5100-5109, 592/592 tests (commit62d386c)Sprint 25: shippedENG-054MongoDB document-store provider —Cephalon.Data.MongoDB+Cephalon.EventSourcing.MongoDB, MongoDB.Driver 3.4.0 — 599/599 tests (commitf94dc28)Sprint 26: shippedENG-054Redis key-value-store provider —Cephalon.Data.Redis+Cephalon.EventSourcing.Redis, StackExchange.Redis 2.8.16 — 607/607 testsSprint 27: shippedENG-054Neo4j graph-store provider —Cephalon.Data.Neo4j+Cephalon.EventSourcing.Neo4j, Neo4j.Driver 6.0.0 — 615/615 testsSprint 28: shippedENG-054Cassandra wide-column-store provider —Cephalon.Data.Cassandra+Cephalon.EventSourcing.Cassandra, CassandraCSharpDriver 3.22.0 — 624/624 testsSprint 29: shippedENG-054ClickHouse analytics-store provider —Cephalon.Data.ClickHouse+Cephalon.EventSourcing.ClickHouse, ClickHouse.Driver 1.0.2 — 632/632 testsSprint 30: shippedENG-054Elasticsearch + OpenSearch search-store provider — 4 packages, Elastic.Clients.Elasticsearch 8.17.0 + OpenSearch.Client 1.8.0 — 640/640 testsSprint 31: shippedENG-054Qdrant vector-store + NATS ledger-store provider — 4 packages, Qdrant.Client 1.17.0 + NATS.Net 2.7.3 — 648/648 tests. ENG-054 Track 1 complete: all 9 non-relational provider families delivered. The same sprint also shippedENG-058-T30behavior-aware REST endpoint helper follow-through:MapBehaviorRestGroup(...), versioned OpenAPI metadata defaults, XML-comment enrichment, and showcase cart route deduplication over the behavior dispatcher,ENG-058-T31OpenAPI XML-comment deduplication follow-through so behavior<summary>and<remarks>render as distinct Scalar/OpenAPI summary and description text,ENG-058-T32named OpenAPI document selection viaBehaviorRestEndpointGroup.ApiVersion(major),ENG-058-T33versioned OpenAPI config canonicalization aroundOpenApi:EnabledVersionsplusOpenApi:DefaultVersion,ENG-058-T34versioned Scalar doc-link behavior,ENG-058-T35canonical Scalar links plus/api/v{major}REST-route alignment,ENG-058-T36configurable docs-route surfaces and module-major REST defaults,ENG-058-T37sharedBehaviorApiSurfacecanonical routing across the generic non-REST behavior HTTP bindings,ENG-058-T38canonicalApiRoutes:Prefixesdefaults for both built-in and generic HTTP transport surfaces,ENG-058-T40public REST documentation separation plus tag-metadata follow-through so module-owned REST groups now own the published REST OpenAPI/Scalar surface,ENG-058-T41cleanup that removed behavior-declared REST soMapEndpoints(...)plusMapBehaviorRestGroup(...)are no longer the main REST authoring story,ENG-058-T43module-owned behavior authoring baseline so one module can explicitly own both internal-only and REST-exposed behaviors throughBehaviorModuleBaseandRestBehaviorModuleBase,ENG-058-T44the single-surface REST behavior module DSL plusAutoRegister=falsedefault so REST behavior modules can declare public routes and internal ownership in one pass throughConfigureRestBehaviors(...),ENG-058-T46transport-neutral behavior results plus optional REST result-envelope projection so behaviors can return rawTOutorBehaviorResult<T>in the core contract while ASP.NET Core can still publishResultModel<T>/ResultModelErroron the REST wire when the host opts intoApiRoutes:ResultEnvelope:Enabled,ENG-058-T47plural REST error-envelope follow-through so validation and other multi-reason failures now flow through anerrorscollection backed byBehaviorFault.InnerFaultswhile OpenAPI generation keeps the same canonical plural contract,ENG-058-T48showcaseAddToCartBehaviorauthoring follow-through so the cart sample now demonstratesBehaviorResult<T>, multi-fault validation, checkout conflicts, and focused REST-envelope overrides in a concrete end-to-end module example,ENG-058-T49concise no-payloadBehaviorResultfactories so common async-return branches can now sayBehaviorResult.Invalid(...)/BehaviorResult.NotFound(...)/BehaviorResult.Conflict(...)without repeating<T>while docs call out the remainingTask.FromResult<BehaviorResult<TOut>>(...)inference edge case explicitly,ENG-058-T50configurable documented REST response statuses plus default500so hosts can narrow or expand the status list shown in OpenAPI + Scalar throughOpenApi:BehaviorRest:DocumentedStatusCodeswhile Cephalon now keeps500visible by default and stops forcing400/404when that list is narrowed, andENG-058-T51conciseResult<T>/Resultaliases so new behavior authoring can useResult<T>plusResult.*(...)while the legacyBehaviorResult<T>surface stays available as a compatibility alias and REST/OpenAPI recognizes both families. The transport surface now keeps GraphQL semantics schema-owned while still aligning GraphQL-family behavior endpoints with the same prefix/version policy used by the rest of the generic HTTP transport packInfrastructure Phase 1: solution filter files (core.slnf,data.slnf,observability.slnf,aspnetcore.slnf) + scaffolding scripts (New-ProviderPack.ps1,New-ObservabilityPack.ps1)Infrastructure Phase 2: test assembly split —Cephalon.Testsmonolith (648 tests) split intoCephalon.Tests.Support+Cephalon.Tests.Composition(327) +Cephalon.Tests.Hosting(200) +Cephalon.Tests.Tooling(121) — 648/648 testsSprint 32: backlog and roadmap alignment for all completed work through Sprint 31, status closeout for ENG-054/056/057Sprint 33: EF projection contributor (IProjectionContributor), Wolverine dispatch observability (ActivitySource+Meter), validation script fix for post-test-split environment, ENG-051 closeout — 648/648 testsSprint 34: comprehensive engine audit — WebSocket[LoggerMessage]logging fix, flaky test fix, architecture inventory/recommendations docs, ENG-049/050/052/053/055 closeout (all phase-8 baseline acceptance met), ENG-059 benchmark expansion planned — 648/648 testsSprint 35: shipped ENG-059 runtime hot-path benchmark expansion — data layer dispatch, behavior dispatch, authorization evaluation, tenant resolution, event sourcing, outbox staging — 13 new benchmarks across 6 classes, guardrails 10→23, 648/648 testsSprint 31: shipped ENG-054 provider configuration follow-through — connection-string-native packs now shareConnectionStringNameplusConnectionString(Cephalon.Data.MongoDB,Cephalon.Data.Redis), URI-first packs now shareUriNameplusUri(Cephalon.Data.Elasticsearch,Cephalon.Data.OpenSearch,Cephalon.Data.Neo4j,Cephalon.Data.Nats), named values resolve from the rootConnectionStringsorUrissections as appropriate, packs fail fast when both settings are supplied, and the docs now call out the provider-family contract explicitly while Cassandra/Qdrant remain topology-firstSprint 36:ENG-060established the engine-owned database topology baseline so physical database roles, migration targets, outbox routing, and history stores stop drifting across provider packsSprint 37:ENG-061is now shipped on top of that topology contract:Cephalon.Data.EntityFrameworkconsumesEngine:Databaseswrite/read roles directly, publishes role and migration metadata through the runtime surface, and supplies the migration-registration primitives that also let additive companion packs register truthful history-role executionSprint 38:ENG-062is now shipped:Cephalon.Audit.EntityFrameworkprovides the first durable audit-history baseline throughEngine:Audit:Historyplus a selected engine-owned database role, defaulting toHistory, and the showcase sample now proves the topology end to end through configuredWriteDb/ReadDb/HistoryDbroots for Docker-backed runs, separate read-side migrations, durable read-projection jobs staged in the write store, and the adoption-quality/api/v1/showcase/system/database-topologyoperator projection now promoted into the main/showcaseoperator console with derived operator insights, an ordered action plan, a shareable Markdown brief, and a downloadable self-describing handoff package for aligned-versus-drifting topology stateSprint 31follow-through:ENG-063is now shipped on top of the first durable history baseline so audit history now includes a host-agnostic filtered-page reader contract, engine-owned retention settings,/engine/audit-historyoperator routes, and showcase-facing/api/v1/showcase/audit/historyendpoints instead of staying write-onlySprint 31follow-through:ENG-064is now shipped on top of the same durable history baseline so audit history now also includes a host-agnostic bounded export contract,Engine:Audit:History:Export,/engine/audit-history/export, and showcase-facing/api/v1/showcase/audit/history/exportendpointsSprint 31follow-through:ENG-065is now shipped on top of the same topology baseline so dependent database targets can explicitly referencewritethroughUseRole,Cephalon.Data.EntityFrameworkplusCephalon.Audit.EntityFrameworknow surface requested versus resolved roles truthfully, and the showcase sample now demonstrates explicitOutbox -> writerouting while keeping a dedicated configuredHistoryDbrole for Docker-backed relational bootstrapSprint 31follow-through:ENG-066is now shipped on top of the same topology baseline so the engine now exposesIDatabaseRoleCatalog,/engine/database-roles,/engine/database-roles/{databaseRoleId}, andsnapshot.DatabaseRoleswith requested versus resolved role truth, role-consumer metadata, co-location answers, and audit-history enrichmentSprint 38follow-through:ENG-086is now shipped on top of the same database-topology baseline so the engine-owned runtime contract now includesRoleProbeFreshnessSeconds,Cephalon.Data.EntityFrameworknow caches role-probe results with explicit live-versus-cache metadata plus migration-state invalidation, and the showcase sample now surfaces probe source, age, and freshness timing directly from the engine-owned role catalogSprint 38follow-through:ENG-087is now shipped on top of the same database-topology baseline so the engine-owned role contract now exposes the typedDatabaseRoleProbeDescriptorsurface and the showcase sample now consumes that typed probe answer directly instead of parsing stable metadata keys locallySprint 38follow-through:ENG-088is now shipped on top of the same database-topology baseline so the engine now publishes/engine/database-topologyplussnapshot.DatabaseTopologyas the canonical operator posture summary, advisory, and ordered action-plan answer, and the showcase sample now consumes that engine-owned answer for readiness and core insights while keeping read-model drift/backlog follow-through sample-specificSprint 38follow-through:ENG-089is now shipped on top of the same database-topology baseline so the showcase sample now consumes the engine-owned action-plan contract directly, preserves stable action categories plus source role and migration ids in its operator projection/UI/brief, and the docs plus package-surface coverage now describe that shipped contract truthfullySprint 38follow-through:ENG-090is now shipped on top of the same database-topology baseline so the engine now publishes/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybookas the canonical ordered migration answer, and the showcase sample now consumes that engine-owned playbook directly while keeping repo-root command adaptation and read-model follow-through sample-specificSprint 38follow-through:ENG-091is now shipped on top of the same database-topology baseline so the engine now publishes stable physical-target identity through/engine/database-rolesplus coordination counts, per-step partner targets, and shared-target warning/action guidance through/engine/database-migration-playbookand/engine/database-topology, and the showcase sample now consumes that engine-owned shared-database truth directly in/showcase, the operator brief, and the handoff packageSprint 38follow-through:ENG-092is now shipped on top of the same database-topology baseline so the engine-owned migration playbook now groups logical targets into physical-target execution batches with aggregate status, coverage counts, grouped migration ids, and shared-target coordination hints, and the showcase sample now consumes that engine-owned grouped answer directly in/showcase, the operator brief, and the handoff packageSprint 38follow-through:ENG-093is now shipped on top of the same database-topology baseline so the engine-owned migration playbook now also publishes grouped production and manual command sets per physical-target execution batch, and the showcase sample now consumes that engine-owned grouped command answer directly in/showcase, the operator brief, and the handoff packageSprint 38follow-through:ENG-094is now shipped on top of the same database-topology baseline so the engine-owned migration playbook now also publishes combined production and manual command-batch templates per physical-target execution batch, and the showcase sample now consumes that engine-owned combined batch answer directly in/showcase, the operator brief, and the handoff packageSprint 38follow-through:ENG-095is now shipped as the first phase 12 taxonomy slice soBuiltInPatternsnow includesstrangler-figplusbackend-for-frontend, configuration and/engine/patternscan express those architecture choices directly, and the remaining router/client-binding runtime follow-through stays plannedSprint 38follow-through:ENG-096is now shipped as the first non-taxonomy strangler-fig slice so modules and hosts can contribute migration routes through host-agnostic route-contribution and router contracts,/engine/strangler-figplussnapshot.StranglerFigRoutesnow expose the live catalog, and/engine/strangler-fig/resolvecan evaluate request ownership while migration progress/config and host-level cutover behavior remain plannedSprint 39:ENG-097is now shipped as the framework-readiness baseline soscripts/validate-dotnet-readiness.ps1now records current-versus-readiness SDK selection, target-framework audit results, and deployment-mode claim status,validate-release.ps1now uses the split test projects plus emits readiness artifacts, the release-validation workflow now also proves a dedicated.NET 11lane, and scaffolding now keepsnet11.0Dockerfile base images aligned with the requested target framework instead of freezing on10.0Sprint 39follow-through:ENG-210now hardens that same framework-readiness baseline with a machine-readable deployment-mode support contract soscripts/deployment-mode-support.jsoncarries the current trim / Native AOT / single-file support statement,scripts/validate-dotnet-readiness.ps1now validates project-detected claim status against that manifest, and docs plus package-publishing guidance now stay aligned with the same manifest-backed support story instead of relying on prose-only warningsSprint 39follow-through:ENG-211now carries that same framework-readiness truth intoCephalon.Clisocephalon doctorreads the packaged deployment-mode support contract, echoes the stablenet10.0shipping floor plus the.NET 11assessment-only readiness lane, and keeps trim / Native AOT / single-filenot-claimedposture visible from the same first-run command path external adopters already use for SDK/runtime/bootstrap verificationSprint 39follow-through:ENG-212now carries that same support-contract truth into generated-app doctor validation socephalon doctor --app-root <path>compares the generated host target framework against the stablenet10.0shipping floor plus the.NET 11assessment-only readiness lane, reads effectivePublishTrimmed,PublishAot, andPublishSingleFilesettings from the generated host project plusCephalonFolder.pubxml, and keeps generated-app support posture visible before restore, publish, or deployment work beginsSprint 39follow-through:ENG-213now carries that same generated-app doctor truth into deployment assets socephalon doctor --app-root <path>validates the generatedDockerfileplus the shipped container-image, Azure Container Apps, and Kubernetes deployment assets, compares Dockerfile SDK and ASP.NET base-image tags against the generated host target framework baseline, and keeps stable-floor versus readiness-lane deployment-asset posture visible before container-image or hosted-container deployment work beginsSprint 39follow-through:ENG-214now carries that same generated-app doctor truth into published-output deployment baselines socephalon doctor --app-root <path>validates the shipped Windows Service, IIS, Azure App Service, and Linuxsystemddeployment assets, checks that those generated scripts and units still align with the current host identity, and keeps self-hosted and hosted deployment-asset posture visible before published-output deployment work beginsSprint 39follow-through:ENG-215now carries that same generated-app doctor truth into local orchestration assets socephalon doctor --app-root <path>validates the shippedcompose.yamlandotel-collector-config.yamlassets, compares the generated compose baseline against the shipped Dockerfile plus OTLP collector handoff, compares the generated collector config againsthealth_check,otlp/httpon4318, and the debug-exporter pipelines, and keeps localdocker compose up --buildposture visible before adopters rely on that local container-runtime pathSprint 39follow-through:ENG-216now carries that same generated-app doctor truth into documentation-surface config socephalon doctor --app-root <path>validates the generatedConfigurations/AddOpenApi.jsonandConfigurations/AddReferenceDocs.jsonassets, checks that the OpenAPI title plus hosted reference-doc enablement, route, directory, and default-document settings stay explicit, and keeps/scalarplus optional hosted reference-doc posture visible before adopters rely on those docs surfacesSprint 39follow-through:ENG-217now carries that same generated-app doctor truth into split project configuration baselines socephalon doctor --app-root <path>validates the generatedConfigurations/AddEngine.*.jsonassets plusConfigurations/Observability/Development.json, checks that app-model, engine-feature, observability, localization, and development Serilog defaults stay explicit, and keeps split-config runtime plus docs plus telemetry posture visible before adopters rely on those generated defaultsSprint 39follow-through:ENG-218now carries that same generated-app doctor truth into host bootstrap alignment socephalon doctor --app-root <path>validates the scaffoldedProgram.csbootstrap source plus the generated host-projectPackageReferenceset andConfigurations/**/*.jsoncopy/publish baseline, checks that explicitAddCephalonProjectConfigurationsandMapCephalonwiring still stay visible, and keeps startup plus build/publish bootstrap posture visible before adopters rely on edited host startupSprint 39follow-through:ENG-219now carries that same generated-app doctor truth into starter test-harness alignment socephalon doctor --app-root <path>validates the generated test project plus scaffoldedArchitecture/CompositionSmokeTests.csandFeatures/*BehaviorSpecifications.csplaceholders, checks that composition smoke and Given/When/Then starter seams still stay visible, and keeps starter-test posture visible before adopters replace those files with real specsSprint 39follow-through:ENG-220now carries that same generated-app doctor truth into generated guidance docs socephalon doctor --app-root <path>validates the scaffolded rootREADME.md,Configurations/README.md, anddeploy/*/README.mdfiles, checks that package-source, split-config, publish, deployment, and local-orchestration instructions still align with the current app root, and keeps human-facing run/publish/deploy guidance visible before adopters follow the shipped docs literallySprint 39follow-through:ENG-221now carries that same generated-app doctor truth into local package-feed guidance socephalon doctor --app-root <path>validates the scaffolded.cephalon/packages/README.md, checks that local package-feed seeding plus shared-feed replacement instructions still align with the current generated app root, and keeps package-bootstrap guidance visible before adopters seed packages or swapNuGet.configSprint 39follow-through:ENG-222now carries that same generated-app doctor truth into executable container deployment scripts socephalon doctor --app-root <path>validates the scaffoldeddeploy/container-image/publish-image.ps1,deploy/azure-container-apps/deploy-up.ps1, anddeploy/kubernetes/apply.ps1files, checks that Dockerfile,NuGet.config, host-project/source-root, image placeholder, namespace, and manifest-root seams still align with the current generated app root, and keeps container image plus hosted-container script posture visible before adopters run those shipped deployment scriptsSprint 39follow-through:ENG-223now carries that same generated-app doctor truth into Kubernetes manifest content socephalon doctor --app-root <path>validates the scaffoldeddeploy/kubernetes/kustomization.yaml,deploy/kubernetes/namespace.yaml,deploy/kubernetes/deployment.yaml, anddeploy/kubernetes/service.yamlfiles, checks that namespace, labels, image placeholder, env, probe, andClusterIPservice seams still align with the current generated app root, and keeps platform-neutral Kubernetes manifest posture visible before adopters rely on those shipped manifests literallySprint 39follow-through:ENG-224now carries that same generated-app doctor truth into teardown and service-manager environment assets socephalon doctor --app-root <path>validates the scaffoldeddeploy/windows-service/remove-service.ps1,deploy/iis/remove-site.ps1, anddeploy/linux/systemd/<App>.envfiles, checks that Windows Service stop/delete, IIS site/app-pool teardown, and Linuxsystemdenvironment plus telemetry override seams still align with the current generated app root, and keeps teardown plus environment posture visible before adopters rely on those shipped operational assetsSprint 39follow-through:ENG-098now extends the same phase 11 resilience surface with shared behavior-execution rate limiting inCephalon.Behaviors, truthful/engine/behavior-resilienceplus snapshot metadata for that execution layer, and route-truthful REST429answers that can intentionally surface either the host-owned or behavior-owned limiter throughEngine:Resilience:RateLimiting:OverridesSprint 39follow-through:ENG-099now carries that same behavior-execution rate-limiting truth across the generic behavior HTTP adapters so GraphQL HTTP, JSON-RPC, GraphQL-SSE, GraphQL-WS, SSE, and WebSocket bindings all emit protocol-native limiter envelopes instead of flattening shared dispatch rejections into generic transport failuresSprint 40follow-through:ENG-100now carries the remaining behavior-execution timeout and circuit-breaker truth across the generic behavior HTTP adapters so GraphQL HTTP, JSON-RPC, GraphQL-SSE, GraphQL-WS, SSE, and WebSocket bindings emit protocol-native timeout and open-circuit envelopes instead of flattening those shared dispatch rejections into generic transport failuresSprint 40follow-through:ENG-101now extends the phase 12 strangler-fig baseline with deterministicEngine:Migration:StranglerFigdefault plus per-route policy overlays, a new host-agnostic migration-policy catalog projected intosnapshot.StranglerFigRoutePolicies, and ASP.NET Core/engine/strangler-fig/runtimeoperator routesSprint 40follow-through:ENG-102now closes the first ASP.NET Core strangler-fig cutover loop soEngine:Migration:StranglerFig:AspNetCorecan rewrite rooted local targets, redirect or proxy absolute HTTP or HTTPS targets, expose/engine/strangler-fig/cutoverplus/engine/strangler-fig/cutover/resolve, and fail unsupported selected endpoints truthfully with502without breaking the shared migration runtime truthSprint 40follow-through:ENG-119now ships the engine-first strangler-fig ingress follow-through soCephalon.AbstractionsexposesIStranglerFigIngressRuntimeCatalogplusStranglerFigIngressRuntimeDescriptor,Cephalon.Engineprojectssnapshot.StranglerFigIngressRoutes, and ASP.NET Core exposes/engine/strangler-fig/ingress*while cutover now derives from the shared ingress truth and provider-specific ingress or edge automation remains laterSprint 40follow-through:ENG-103now ships the first backend-for-frontend client-binding runtime so modules, hosts, andEngine:BackendForFrontend:Bindingscan contribute per-client transport bindings through host-agnostic contracts,snapshot.BackendForFrontendBindingsplus ASP.NET Core/engine/backend-for-frontendroutes publish the merged runtime truth, and thebackend-for-frontendpattern now auto-selects when bindings existSprint 40follow-through:ENG-104now adds the first client-aware backend-for-frontend REST filtering runtime so ASP.NET Core derivesIBackendForFrontendRestRuntimeCatalog,snapshot.BackendForFrontendRestEndpoints, and/engine/backend-for-frontend/rest-endpointsfrom the shared binding catalog plus published REST endpoint truth while per-client OpenAPI/Scalar materialization remains laterSprint 40follow-through:ENG-105now closes the first backend-for-frontend REST documentation/materialization loop so ASP.NET Core derivesIBackendForFrontendRestDocumentRuntimeCatalog,snapshot.BackendForFrontendRestDocuments,/engine/backend-for-frontend/rest-documents, and scope-specific filtered OpenAPI plus Scalar surfaces from the shared BFF REST runtime truth and the normal hostOpenApi:*configurationSprint 40follow-through:ENG-106now ships the first feature-flag runtime baseline so hosts, configuration, and modules can contributeFeatureFlagDescriptorentries throughengine.AddFeatureFlag(...),Engine:Features, andIFeatureFlagContributor, the engine now projects merged truth throughIFeatureFlagRuntimeCatalog,IFeatureToggle, andsnapshot.FeatureFlags, and ASP.NET Core now exposes/engine/featuresplus evaluation routes while the later generic provider bridge and any future capability publication remain separate follow-throughSprint 40follow-through:ENG-107now ships the generic external-provider bridge baseline for feature flags soFeatureFlagDescriptor.ProviderBindings,Engine:Features:Flags:*:ProviderBindings,engine.AddFeatureFlagProvider(...), andIFeatureFlagProvidercan add provider-backed rollout gates without replacing the Cephalon-owned runtime catalog,/engine/features/{featureFlagId}/evaluatenow returns provider-result details, and behavior-owned HTTP execution now keeps subject propagation aligned with the same provider-backed truthSprint 40follow-through:ENG-108now ships the first host-agnostic saga choreography baseline soIBehaviorTopologyBuilder.AsSagaChoreography()plus source-generated topology literals can declaresaga-choreography,Cephalon.Behaviors.Patternsnow exposesISagaChoreographyPublisher,SagaChoreographyPublication,SagaChoreographyStepResult,InMemorySagaChoreographyPublisher, andChoreographySagaExecutionStrategy, andCephalon.Behaviorsnow reports capabilitybehaviors.saga-choreographyplus advisoryABT-005when choreography steps omit outbox stagingSprint 40follow-through:ENG-109now ships the first durable-execution baseline soIBehaviorTopologyBuilder.AsDurableExecution()plus source-generated topology literals can declaredurable-execution,Cephalon.Behaviors.Patternsnow exposesIDurableExecution<TState>,IDurableExecution<TInput, TState, TOutput>,DurableExecutionState<TState>,DurableExecutionStepResult<TOutput>, andDurableExecutionStrategy,Cephalon.Behaviorsnow reports capabilitybehaviors.durable-executionplus ruleABT-006, and Kafka/RabbitMQ/test behavior contexts now flowIEventStoreinto the shared pipeline while richer durable runtime/operator surfaces remain later follow-throughSprint 40follow-through:ENG-110now ships the explicit saga choreography eventing bridge soCephalon.Eventing.BehaviorsexposesAddBehaviorEventingBridge(), preserves explicitISagaChoreographyPublisheroverrides, stages choreography publications through the same outbox-backed eventing publish path used byCephalon.Eventing, and projects capabilityeventing.behaviors.saga-choreographyplus thesaga-choreography-bridgesruntime surface without moving choreography ownership into the eventing baselineSprint 40follow-through:ENG-111now ships the first durable-execution runtime/operator catalog soCephalon.AbstractionsexposesDurableExecutionRuntimeDescriptorplusIDurableExecutionRuntimeCatalog,Cephalon.Behaviors.Patternsderives the catalog from shared durable behavior topology plus registered implementation types,snapshot.DurableExecutionsnow publishes the same answer, and ASP.NET Core now exposes/engine/durable-executionsplus id/module/transport drill-down routes while replay-progress and failure-posture follow-through remain laterSprint 40follow-through:ENG-112now ships the first durable-execution live runtime state and failure-posture surface soCephalon.AbstractionsexposesDurableExecutionRuntimeStateplusIDurableExecutionRuntimeStateCatalog,Cephalon.Behaviors.Patternsreports per-stream durable observations directly fromDurableExecutionStrategy,snapshot.DurableExecutionStatesnow publishes the same answer, and ASP.NET Core now exposes/engine/durable-executions/runtimeplus stream/behavior/module/transport drill-down routes while timers, signals, and compensation helpers remain laterSprint 40follow-through:ENG-113now ships the first durable timer/signal coordination surface soCephalon.AbstractionsexposesDurableExecutionPendingTimerplusDurableExecutionPendingSignal,DurableExecutionStepResult<TOutput>andDurableExecutionRuntimeStatecan carry pending timers/signals without a second workflow registry, the shared durable strategy now emits a truthfulwaitingposture with202when coordination remains pending, and ASP.NET Core now exposes/engine/durable-executions/runtime/timers*plus/engine/durable-executions/runtime/signals*while compensation helpers remain laterSprint 40follow-through:ENG-114now ships the first durable compensation-helper surface soCephalon.AbstractionsexposesDurableExecutionCompensationAction,DurableExecutionStepResult<TOutput>andDurableExecutionRuntimeStatecan carry operator-facing compensation actions without changing durable coordination semantics, the shared runtime-state catalog now preserves and filters those helpers without a second workflow registry, and ASP.NET Core now exposes/engine/durable-executions/runtime/compensations*while any future auto-executing recovery remains laterSprint 40follow-through:ENG-115now ships the first saga choreography authoring-helper surface soCephalon.Behaviors.PatternsexposesISagaChoreographyStepResult,ISagaEventReactor<TEvent>,ISagaEventReactor<TEvent, TOutput>,SagaChoreographyStepResult<TOutput>, and typed JSON publication helpers onSagaChoreographyPublication, whileChoreographySagaExecutionStrategycontinues to normalize the shared choreography result contract without inventing a second registry or collapsing the explicit eventing bridge into the patterns baselineSprint 40follow-through:ENG-116now ships the first saga choreography runtime/operator catalog soCephalon.AbstractionsexposesSagaChoreographyRuntimeDescriptorplusISagaChoreographyRuntimeCatalog,Cephalon.Behaviors.Patternsderives the catalog from shared choreography behavior topology plus registered implementation types,snapshot.SagaChoreographiesnow publishes the same answer, and ASP.NET Core now exposes/engine/saga-choreographiesplus id/module/transport drill-down routes. Live publication-state and capability-publication follow-through landed later and are now shippedSprint 40follow-through:ENG-117now ships the first live saga choreography publication-state baseline soCephalon.AbstractionsexposesSagaChoreographyPublicationRuntimeStateplusISagaChoreographyPublicationRuntimeStateCatalog,ChoreographySagaExecutionStrategyreports accepted and failed publication handoff observations directly from the shared choreography path,snapshot.SagaChoreographyPublicationStatesnow publishes the same answer, and ASP.NET Core now exposes/engine/saga-choreographies/runtimeplus publication, behavior, module, transport, channel, correlation, compensation, and failure drill-down routes; the module-backed capability-publication follow-through is now also shipped throughbehaviors.saga-choreography.runtime-catalogandbehaviors.saga-choreography.publication-stateSprint 40follow-through:ENG-118now ships the module-backed saga choreography capability-publication follow-through soCephalon.Behaviorspublishesbehaviors.saga-choreography.runtime-catalogandbehaviors.saga-choreography.publication-stateonly whenAddBehaviorPatterns()actually registersISagaChoreographyRuntimeCatalogandISagaChoreographyPublicationRuntimeStateCatalog,/engine/capabilitiesnow exposes the same pack/service/snapshot/route truth, and capability provenance stays with thebehaviorsmodule instead of inventing a synthetic engine or bridge sourceSprint 36–37 (Phase 11):ENG-076now ships the contract-first resilience baseline —Engine:Resilience,AppProfile.Resilience,/engine/resilience, and the missingonion-architectureplusanti-corruption-layerpattern descriptors —ENG-077now ships the first transport-native follow-through through ASP.NET Core public-HTTP rate limiting plus/engine/rate-limiting,ENG-078now adds endpoint-scoped behavior/transport override modeling for ASP.NET Core HTTP surfaces,ENG-079now adds the first behavior-pipeline follow-through through shared timeout-plus-bulkhead enforcement plus/engine/behavior-resilience,ENG-080now adds behavior-execution override resolution with behavior/transport precedence plus route-truthful REST/OpenAPI answers,ENG-081now adds shared circuit-breaker enforcement plus live runtime state and truthful REST503answers for open circuits,ENG-082now adds behavior-authored idempotency plus retry-eligibility classification/runtime metadata for the same behavior-execution surface,ENG-083now closes the loop with idempotency-gated retry execution plus truthful retry runtime metadata in the shared behavior pipeline,ENG-084now splits the built-in ASP.NET Core GraphQL surface into explicit HTTP, schema, SSE, and WebSocket routes while/engine/rate-limitingnow publishes truthful long-lived stream/connection metadata,ENG-085now rounds out the shared GraphQL authoring baseline throughConfigureGraphQLMutation(...)plusConfigureGraphQLSubscription(...)and protocol-level proof that configured schema, SSE, and WebSocket routes execute real SDL,text/event-stream, andgraphql-transport-wsbehavior,ENG-098now extends the shared behavior-execution surface with rate limiting plus REST429precedence that stays truthful when ASP.NET Core and behavior-dispatch limiters both target the same route,ENG-099now keeps that same rate-limiting truth protocol-native for the generic behavior HTTP GraphQL, JSON-RPC, SSE, and WebSocket adapters, andENG-100now keeps timeout plus open-circuit503truth equally protocol-native for those same generic behavior HTTP adapters; broader non-REST resilience-envelope semantics beyond the current429/503baseline remain planned follow-throughSprint 38–40 (Phase 12): planned migration and advanced coordination — the descriptor baseline for strangler fig plus BFF, the first strangler-fig runtime-contract slice, the first configuration-driven strangler-fig migration-policy/progress slice, the first ASP.NET Core host-level cutover runtime, the engine-first strangler-fig ingress-runtime follow-through, the first BFF client-binding runtime, the first client-aware BFF REST filtering runtime, the first BFF REST documentation/materialization runtime, the first feature-flag runtime baseline, the generic external-provider bridge baseline, the first host-agnostic saga choreography baseline, the explicit choreography-to-eventing bridge baseline, the first saga choreography authoring-helper follow-through, the first saga choreography runtime/operator catalog follow-through, the first live saga choreography publication-state follow-through, the module-backed saga choreography capability-publication follow-through, the first durable-execution baseline, the first durable runtime/operator catalog follow-through, the first durable live-state/failure-posture follow-through, the first durable timer/signal coordination follow-through, and the first durable compensation-helper follow-through are now shipped, while broader non-REST frontend-materialization, provider-specific ingress or edge automation, and provider-specific feature-flag companion packs remain plannedSprint 40–41 (Phase 13):ENG-120now ships the first cell-based architecture boundary baseline throughCellBoundaryDescriptor,ICellBoundaryCatalog,/engine/cells,snapshot.CellBoundaries, and thecell-boundariestechnology surface,ENG-121now adds the first governed cell-route baseline throughCellRouteDescriptor,ICellRouteCatalog,/engine/cell-routes,snapshot.CellRoutes, and thecell-routestechnology surface,ENG-122now adds the first cell health-isolation baseline throughCellHealthIsolationDescriptor,ICellHealthIsolationCatalog,/engine/cell-health-isolations,snapshot.CellHealthIsolations, and thecell-health-isolationstechnology surface,ENG-123now closes the engine-owned cell baseline with configuration-driven traffic automation throughEngine:Cells:TrafficAutomation,ICellTrafficAutomationRuntimeCatalog,/engine/cell-traffic-automations,snapshot.CellTrafficAutomations, and thecell-traffic-automationstechnology surface,ENG-124now adds the first data-mesh runtime baseline through/engine/data-productsplussnapshot.DataProducts,ENG-125now adds the first CDC capture descriptor baseline through/engine/cdc-capturesplussnapshot.CdcCaptures,ENG-126now adds the first live CDC runtime-state follow-through throughCdcCaptureRuntimeState,ICdcCaptureRuntimeStateCatalog,/engine/cdc-captures/runtime,snapshot.CdcCaptureStates, and optional linked outbox dispatch posture,ENG-127now extends that same surface with typed CDC freshness, lag, and publication-posture answers,ENG-128now adds the shared CDC hosted-execution substrate throughCdcCaptureExecutionResult,data.cdc.execution,data-cdc-capture-flow,data-cdc-capture-pump, and shared in-process outbox staging/runtime-story truth,ENG-129now closes the shared replay-safe checkpoint-commit follow-through throughCdcCaptureExecutionAcknowledgement,ICdcCaptureAcknowledger,acknowledge-cdc-progress, and post-stage provider acknowledgement metadata,ENG-130now adds the execution-topology layer throughCdcCaptureExecutionRuntimeDescriptor,ICdcCaptureExecutionRuntimeCatalog,/engine/cdc-capture-runtimes, andsnapshot.CdcCaptureExecutionRuntimes,ENG-131now binds capture-side authored/requested/effective execution ownership throughCdcCaptureExecutionBindingDescriptor,ExecutionBindingon/engine/cdc-captures*plus/engine/cdc-captures/runtime*, deterministic runtime-claim resolution, inverse execution-runtime drill-down routes, and shared-pump filtering so shared or future provider-native runners stay on one truthful ownership model,ENG-132now lets hosts declare external-managed or provider-native CDC execution runtimes through first-class runtime fields plusDataRuntimeOptions.CdcExecutionRuntimeswhile keeping/engine/cdc-capture-runtimes*, inverse capture/runtime drill-down routes, and the shared-pump ownership truth aligned on one registry,ENG-133now proves the first concrete provider-native runner through MongoDB change streams on the same/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces,ENG-134now adds the first opt-in out-of-process CDC live-reporting seam throughCdcCaptureRuntimeObservation,ICdcCaptureExecutionRuntimeReportSink, andPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reportsso external runners can refresh the same runtime-state and execution-runtime summaries without a second registry,ENG-135now extends the shared cell automation catalog with first-classproviderIdplusedgeNodeIds, provider and edge-node drill-down routes, and derivedprovider-managed/edge-managed/provider-and-edge-managedposture so provider-aware and edge-aware traffic automation stay on one runtime truth,ENG-136now adds the first provider-managed traffic materializer seam on that same catalog,ENG-137now letsCephalon.Edgecontribute the first edge-runtime traffic materializer throughICellTrafficAutomationEdgeMaterializer, generic materialization result/state contracts, and additive edge-materialization fields onCellTrafficAutomationRuntimeDescriptor,ENG-139now proves the first provider-specific control-plane materializer throughCephalon.Edge.KubernetesGateway,AddKubernetesGatewayTrafficMaterializer(...), deterministic Gateway API intent projection, and thekubernetes-gateway-traffic-materializationstechnology surface while keeping materializer selection plus reconciliation truth on the shared/engine/cell-traffic-automations*andsnapshot.CellTrafficAutomationssurfaces,ENG-140now adds the first live Kubernetes Gateway API observation overlay throughICellTrafficAutomationMaterializationReportSink,KubernetesGatewayTrafficObservationOptions, opt-inobserve-onlymaterializer mode, and recurring Gateway plus HTTPRoute status polling so the same shared automation catalog, provider-specific technology surface, andsnapshot.CellTrafficAutomationscan publish observedAccepted/ResolvedRefs/Programmed, drift, and freshness posture without inventing a second control-plane registry,ENG-141now hardens that same provider-specific pack withapply-and-reconcilemode soconfigured-intentremains truthfullypending, ownedHTTPRouteresources can be created or replaced,Gatewaystays a pre-provisioned dependency, and the same shared automation catalog plus provider-specific technology surface can publish ownership-aware write results together with observed control-plane status without inventing a second registry,ENG-142now proves that the same provider-materializer seam also fits Traefik throughCephalon.Edge.Traefik,AddTraefikTrafficMaterializer(...), deterministicIngressRouteintent projection, and thetraefik-ingressroute-traffic-materializationstechnology surface while keeping materializer selection plus reconciliation truth on the shared/engine/cell-traffic-automations*andsnapshot.CellTrafficAutomationssurfaces,ENG-143now normalizes shared ownership/dependency/drift/lifecycle-action truth across provider and edge materializers,ENG-144now adds the first live Traefik observation overlay throughTraefikTrafficObservationModes,TraefikTrafficObservationOptions, opt-inobserve-onlypolling, and recurring Traefik CRD plus dependent Kubernetes resource observation so the same shared automation catalog, provider-specific technology surface, andsnapshot.CellTrafficAutomationscan publish observed route existence, ownership, dependency, drift, and freshness posture without inventing a second control-plane registry,ENG-145now hardens that same Traefik pack with ownedIngressRouteapply-and-reconcile so the same shared automation catalog and provider-specific technology surface can publish ownership-aware write metadata together with reconciled live Traefik observation without inventing a second registry,ENG-146now hardens provider-native lifecycle execution across Kubernetes Gateway and Traefik by distinguishing external conflicts from orphaned transfer candidates, lazily resolving active owners through the shared traffic catalog, and preserving mergedcreate/replace/transferlifecycle truth on the existing shared and provider-specific surfaces,ENG-147now closes the first cleanup-sweep follow-through through opt-inEnableCleanupSweep, namespace-scoped delete/prune passes over stale transferred or orphaned provider-owned routes, and additiveproviderMaterialization.cleanup*plus provider-surface cleanup metadata on that same runtime story, andENG-150now adds richer provider-native condition semantics throughCellTrafficAutomationMaterializationConditionDescriptor, stable condition dimensions/categories/states/severities, typedConditionson provider and edge materialization results,MaterializationConditionsonCellTrafficAutomationRuntimeDescriptor, and additivematerialization.*,providerMaterialization.*, plusedgeMaterialization.*condition summaries such asconditionCount,conditionCategories,conditionBreakdown, andhighestConditionSeverity; broader dependency-aware teardown and additional CDC execution topologies remain plannedSprint 40–41 (Phase 13):ENG-148now adds the second provider-native CDC runner and first relational CDC proof throughCephalon.Data.SqlServer,AddSqlServerData(...),SqlServerCdcCaptureOptions,sqlserver-cdc-capture-flow,sqlserver-cdc-capture-pump, durablestartLsn|seqval|operationcheckpoints, and the same shared/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces without inventing a second relational CDC registry, whileENG-149now hardens external CDC reporting on that same runtime story with stableReportId, configured stale-window plus out-of-order policy, and aggregateObservationFreshnesson the existing/engine/cdc-*plussnapshotsurfacesSprint 40–41 (Phase 13):ENG-152now deepens that same shared external CDC runtime story with first-classReporterIdplusEdgeNodeId, declaredReporterLeaseSeconds,RejectConflictingReporterIds, andEdgeNodeIds, shared reporter-lease and edge-node validation on the external report sink, and additiveLastReporterId,ActiveReporterId,ReporterLeaseExpiresAtUtc,ObservedEdgeNodeIds, plusLastEdgeNodeIdanswers on the existing/engine/cdc-*andsnapshotsurfaces instead of a second topology coordinatorSprint 40–41 (Phase 13):ENG-153now adds the third provider-native CDC runner and the first logical-replication streaming proof throughCephalon.Data.Postgres,AddPostgresData(...),PostgresLogicalReplicationCaptureOptions,postgresql-logical-replication-capture-flow,postgresql-logical-replication-capture-pump, slot-backed durableslotName|commitLsn|transactionEndLsncheckpoints, publication/table validation, optional slot creation, and the same shared/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces without inventing a PostgreSQL-specific CDC registrySprint 40–41 (Phase 13):ENG-154now hardens that PostgreSQL runner with publication and slot lifecycle truth throughRecreateSlotIfInvalidated, slot type/plugin/database ownership validation, inactive invalidated-slot recreation, restart-safeslot-confirmed-flush-lsnresume metadata, and additiveslotLifecycle*plus failure-kind answers on the existing shared/engine/cdc-*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces instead of a PostgreSQL-only watchdogSprint 40–41 (Phase 13):ENG-155now adds richer external and edge-aware CDC failover plus takeover truth on that same shared runtime story:CdcCaptureRuntimeStateplusCdcCaptureExecutionRuntimeSummarynow publish typedReporterCoordination,Cephalon.Datanow records rejected conflicting reporters and accepted post-expiry takeovers on the shared runtime-state catalog, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces now answer active-owner versus expired-lease versus conflicted reporter posture without inventing a second topology coordinatorSprint 40–41 (Phase 13):ENG-156now hardens that same shared external CDC runtime story with richer multi-reporter reconciliation:Cephalon.Abstractionsnow shipsCdcCaptureReporterParticipantRolesplusCdcCaptureReporterParticipantStatus,CdcCaptureReporterCoordinationStatusnow carriesReporterParticipants,HasStandbyReporters, andHasRejectedReporters, andCephalon.Datanow keeps accepted previous owners visible as standby participants plus rejected conflicts visible as rejected participants on the existing/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces instead of inventing a second coordination registrySprint 40–41 (Phase 13):ENG-157now hardens that same shared external CDC runtime story with stable takeover and degraded-posture semantics:Cephalon.Abstractionsnow shipsCdcCaptureReporterCoordinationIssueReasonsplusCdcCaptureReporterTakeoverStates,CdcCaptureReporterCoordinationStatusnow carriesTakeoverState,DegradedReason,RequiresTakeover, andHasCompletedTakeover, andCephalon.Datanow classifies awaiting-takeover, rejected-conflict, and multiple-active ambiguity on the existing/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces without inventing a second operator taxonomySprint 40–41 (Phase 13):ENG-158now adds the fourth provider-native CDC runner and the first MySQL binlog proof throughCephalon.Data.MySql,AddMySqlData(...),MySqlBinlogCaptureOptions,mysql-binlog-capture-flow,mysql-binlog-capture-pump, durablebinlogFile|positioncheckpoints, bounded row-event batching, and the same shared/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces without inventing a MySQL-specific CDC registrySprint 40–41 (Phase 13):ENG-159now hardens that same MySQL provider-native runner with source-server identity plus retained-binlog lifecycle truth:MySqlBinlogCaptureOptionsnow supportsExpectedSourceServerUuid, the Cephalon-managed checkpoint table now keeps additiveSourceServerUuid,SourceServerId,GtidExecutedSet,BinlogFormat, andBinlogRowImagemetadata, and the existing shared/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces now publishbinlogLifecycle*,sourceServerIdentity*,checkpoint*, and GTID observe-only answers without inventing a MySQL-only lifecycle registrySprint 40–41 (Phase 13):ENG-160now broadens the shared external CDC runtime story with reporter rejoin and stale-conflict cleanup, whileENG-161now adds the fifth provider-native CDC implementation and first Oracle LogMiner redo-log proof throughCephalon.Data.Oracle,AddOracleData(...),OracleLogMinerCaptureOptions,oracle-logminer-capture-flow,oracle-logminer-capture-pump, durablecommitScn|changeScn|rsId|ssncheckpoints, bounded SCN-window LogMiner execution, and the same shared/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions,/engine/runtime-story, andsnapshotsurfaces without inventing an Oracle-specific CDC registrySprint 40–41 (Phase 13):ENG-162now hardens that Oracle runner with additive database-identity plus archive-log lifecycle and checkpoint-provenance truth, whileENG-163now adds reporter-, edge-, coordination-, and degraded-reason drill-downs on the same shared/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces so operator flows can query one reporter or one degraded posture without inventing a second coordination surfaceSprint 40–41 (Phase 13):ENG-164now adds the first external managed-connector capture implementation throughCephalon.Data.Debezium,AddDebeziumData(...),DebeziumConnectorOptions, andDebeziumCaptureOptions, projecting Debezium-managed capture ownership plus external runtime reporting onto the same shared/engine/cdc-*,/engine/runtime-story, andsnapshotsurfaces without faking a hosted execution, execution graph, or Debezium-only registrySprint 40–41 (Phase 13):ENG-165now hardens that same Debezium managed-connector story with observe-only lifecycle and task-reconciliation truth throughManagementMode,ExpectedTaskCount, normalizeddebezium*report metadata, and runtime-scoped execution-runtime metadata promotion on the same shared/engine/cdc-*,/engine/runtime-story, andsnapshotsurfaces without inventing a Debezium-only lifecycle registrySprint 40–41 (Phase 13):ENG-166now adds richer CDC operator-story rollups on that same shared external runtime story by projecting typedReporterCoordinationRollupbreakdowns, active/standby/rejected reporter ids, and degraded capture ids ontoCdcCaptureExecutionRuntimeSummary, the existing/engine/cdc-capture-runtimes*routes, andsnapshot.CdcCaptureExecutionRuntimeswithout inventing a second coordination or Debezium-only rollup surfaceSprint 40–41 (Phase 13):ENG-167now hardens that same shared external runtime story with declared-versus-reported coverage truth throughCdcCaptureExecutionRuntimeReportingCoverageStates,CdcCaptureExecutionRuntimeReportingCoverageStatus, additiveReportingCoverageonCdcCaptureExecutionRuntimeSummary, and report-awareReportedCdcCaptureIdsprojection on the existing/engine/cdc-capture-runtimes*routes plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a second coverage registrySprint 40–41 (Phase 13):ENG-168now closes the next shared follow-through on that same external runtime story throughCdcCaptureExecutionRuntimeRemediationStates,CdcCaptureExecutionRuntimeRemediationCategories, additiveRemediationonCdcCaptureExecutionRuntimeSummary, resolved-ownership coverage/remediation derivation in the shared execution-runtime catalog, and runtime-first remediation drill-down routes on the existing/engine/cdc-capture-runtimes*family plussnapshot.CdcCaptureExecutionRuntimeswithout inventing a second remediation registrySprint 40–41 (Phase 13):ENG-169now closes the next shared follow-through on that same external runtime story through managed-connector governance posture onCdcCaptureExecutionRuntimeDescriptor.ManagedConnectorGovernance, mergedmanagedConnector*governance derivation in the shared execution-runtime catalog, and runtime-first/engine/cdc-capture-runtimes/governance/*drill-downs without inventing a Debezium-only governance registrySprint 40–41 (Phase 13):ENG-170now closes the next shared follow-through on that same external runtime story through desired-versus-observed managed-connector drift posture onCdcCaptureExecutionRuntimeDescriptor.ManagedConnectorDrift, merged declared-versus-reportedmanagedConnector*drift derivation in the shared execution-runtime catalog, and runtime-first/engine/cdc-capture-runtimes/drift/*drill-downs without inventing a Debezium-only drift registrySprint 40–41 (Phase 13):ENG-171now closes the next shared follow-through on that same external runtime story through managed-connector action-planning posture onCdcCaptureExecutionRuntimeDescriptor.ManagedConnectorActionPlan, merged remediation-plus-governance-plus-drift derivation in the shared execution-runtime catalog, and runtime-first/engine/cdc-capture-runtimes/action-plans/*plus/engine/cdc-capture-runtimes/actions/*drill-downs without inventing a Debezium-only action-planning registrySprint 40–41 (Phase 13):ENG-172now closes the next shared follow-through on that same external runtime story through managed-connector write-path readiness posture onCdcCaptureExecutionRuntimeDescriptor.ManagedConnectorWritePathReadiness, merged coverage-plus-remediation-plus-governance-plus-drift-plus-action-planning derivation in the shared execution-runtime catalog, and runtime-first/engine/cdc-capture-runtimes/write-path-readiness/*drill-downs without inventing a Debezium-only readiness registrySprint 40–41 (Phase 13):ENG-150now adds richer provider-native condition semantics on the shared cell traffic runtime story, whileENG-151now broadens dependency-aware teardown on that same runtime story by publishingcleanupStrategyplus primary/dependency cleanup breakdowns, keeping Kubernetes Gateway explicitlyprimary-onlyfor ownedHTTPRoutesweeps, and letting Traefik remove safe ownedMiddlewareplusTLSOptiondependents on the same shared plus provider-specific surfaces; broader provider-side teardown families and additional CDC execution topologies remain plannedSprint 42:ENG-230now establishes the engine surface maturity audit baseline so package ownership and proof levels are explicit before more mixed-maturity expansion landsSprint 43:ENG-231now adds the first truthful managed event-subscription execution baseline so the eventing family proves one managed execution story before widening descriptor breadth againSprint 44: shippedENG-232agentics tool execution and run-state baseline soCephalon.Agenticsgrows from catalog truth into one real dispatcher/run-state loopSprint 45: shippedENG-233retrieval indexing, query execution, and freshness baseline soCephalon.Retrievalgrows from collection catalog truth into one provider-fed lexical index/query/freshness loopSprint 46: shippedENG-234multi-tenancy governance, membership, and domain workflow companion split soCephalon.MultiTenancystays focused on tenant resolution while the broader workflow lane is explicit and companion-plannedSprint 47: shippedENG-235multi-tenancy governance membership evaluation baseline soCephalon.MultiTenancy.Governanceowns the first concrete membership catalog/evaluation runtime proof without pulling broader governance workflows into the base packageSprint 48: shippedENG-236multi-tenancy governance invitation validation baseline soCephalon.MultiTenancy.Governanceowns the first concrete invitation catalog/validation runtime proof without taking over delivery, durable storage, public onboarding, or identity-provider synchronizationSprint 49: shippedENG-237multi-tenancy governance domain ownership validation baseline soCephalon.MultiTenancy.Governanceowns declared domain-ownership catalog/validation without taking over DNS/HTTP proof collection, durable storage, public onboarding, or tenant administrationSprint 50: shippedENG-238multi-tenancy governance action decision baseline soCephalon.MultiTenancy.Governanceowns approval/remediation action cataloging plus deterministic action decisions while leaving workflow execution to the follow-up now shipped inENG-239Sprint 51: shippedENG-239multi-tenancy governance action workflow execution baseline soCephalon.MultiTenancy.Governanceowns in-process request/approve/reject/remediation/expire status transitions over the same action catalog while leaving durable action storage to the follow-up now shipped inENG-240Sprint 52: shippedENG-240multi-tenancy governance durable action store baseline soCephalon.MultiTenancy.Governanceowns a public action-store seam, in-memory default, opt-in local JSON durability,store-failedworkflow outcome, and action-store runtime metadata without taking over broader human-task, notification, remediation-execution, tenant-admin, or provider-backed store ownershipSprint 53: shippedENG-241multi-tenancy governance durable membership store baseline soCephalon.MultiTenancy.Governanceowns a public membership-store seam, in-memory default, opt-in local JSON durability, and membership-store runtime metadata without taking over invitation/domain storage, identity-provider sync, tenant-admin, public onboarding, or provider-backed store ownershipSprint 54: shippedENG-242multi-tenancy governance durable invitation store baseline soCephalon.MultiTenancy.Governanceowns a public invitation-store seam, in-memory default, opt-in local JSON durability, and invitation-store runtime metadata without taking over invitation delivery, public onboarding, identity-provider sync, tenant-admin, domain storage, or provider-backed store ownershipSprint 55: shippedENG-243multi-tenancy governance durable domain ownership store baseline soCephalon.MultiTenancy.Governanceowns a public domain-ownership-store seam, in-memory default, opt-in local JSON durability, and domain-ownership-store runtime metadata without taking over DNS/HTTP proof collection, domain lifecycle automation, tenant-admin, public onboarding, or provider-backed store ownershipSprint 56: shippedENG-244multi-tenancy governance domain ownership verification workflow baseline soCephalon.MultiTenancy.Governanceowns in-process request/verify/reject/suspend/expire status transitions over the same domain-ownership catalog and store without taking over DNS/HTTP proof collection, external polling, tenant-admin, public onboarding, or provider-backed verification ownershipSprint 57: shippedENG-245multi-tenancy governance domain ownership proof evaluation baseline soCephalon.MultiTenancy.Governanceowns reported-proof comparison plus verify/reject workflow mutation without taking over DNS/HTTP proof collection, external polling, tenant-admin, public onboarding, or provider-backed verification collectionSprint 58: shippedENG-246multi-tenancy governance domain ownership proof challenge issuance baseline soCephalon.MultiTenancy.Governanceowns expected-proof challenge generation plus DNS TXT/HTTP publication hints without taking over DNS/HTTP publication, collection, external polling, tenant-admin, public onboarding, or provider-backed verification collectionSprint 59: shippedENG-247multi-tenancy governance domain ownership proof publication planning baseline soCephalon.MultiTenancy.Governanceowns deterministic DNS TXT / HTTP file publication instructions and optional plan metadata recording without taking over DNS mutation, HTTP hosting, DNS TXT collection, external polling, tenant-admin, public onboarding, or provider-backed verification collection at that slice boundary; HTTP file proof publication later shipped inENG-253Sprint 60: shippedENG-248multi-tenancy governance domain ownership HTTP proof collection baseline soCephalon.MultiTenancy.Governanceowns bounded on-demand HTTP file proof collection and evaluation while still leaving DNS publication, HTTP publication, DNS TXT collection, external polling, tenant-admin, public onboarding, and provider-backed verification collection outside that slice boundary; HTTP file proof publication later shipped inENG-253Sprint 61: shippedENG-249multi-tenancy governance domain ownership proof verification runner baseline soCephalon.MultiTenancy.Governanceowns one low-glue orchestration entry point across challenge issuance, publication planning, observed-proof evaluation, and optional HTTP file proof collection while still leaving DNS publication, HTTP publication, DNS TXT collection, external polling, tenant-admin, public onboarding, and provider-backed verification collection outside that slice boundary; HTTP file proof publication later shipped inENG-253Sprint 62: shippedENG-250multi-tenancy governance domain ownership DNS TXT proof collection baseline soCephalon.MultiTenancy.Governanceowns configured on-demand DNS TXT proof collection through an explicit DNS-over-HTTPS resolver while still leaving DNS publication, HTTP publication, background polling, tenant-admin, public onboarding, and provider-backed verification mutation outside that slice boundary; background polling scheduling later shipped inENG-252and HTTP file proof publication later shipped inENG-253Sprint 63: shippedENG-251multi-tenancy governance domain ownership proof polling runner baseline soCephalon.MultiTenancy.Governanceowns a bounded on-demand loop that selects pending or rejected HTTP/DNS declarations and delegates each attempt to the verification runner while still leaving DNS publication, HTTP publication, tenant-admin, public onboarding, and provider-backed mutation outside that slice boundary; automatic background scheduling later shipped inENG-252and HTTP file proof publication later shipped inENG-253Sprint 64: shippedENG-252multi-tenancy governance automatic background proof polling baseline soCephalon.MultiTenancy.Governanceowns opt-in generic-host scheduling, startup polling, and last-run runtime-state reporting around the bounded proof polling runner while still leaving DNS publication, HTTP publication, tenant-admin, public onboarding, and provider-backed mutation outside that slice boundary; HTTP file proof publication later shipped inENG-253Sprint 65: shippedENG-253multi-tenancy governance HTTP proof publication baseline soCephalon.MultiTenancy.Governanceowns host-agnostic HTTP proof publication state andCephalon.MultiTenancy.Governance.AspNetCorecan serve published proof files from ASP.NET Core hosts while still leaving DNS/provider mutation, tenant-admin, and public onboarding outside the current proofSprint 66: shippedENG-254multi-tenancy governance tenant administration workflow baseline soCephalon.MultiTenancy.Governanceowns host-driven grant/suspend/expire membership plus issue/accept/revoke/expire invitation commands over the same stores while still leaving host-adapter endpoint mapping, tenant-admin UI, public onboarding, provider-specific invitation senders, and identity-provider sync outside that slice boundary; the ASP.NET Core command endpoint later shipped inENG-255Sprint 67: shippedENG-255multi-tenancy governance ASP.NET Core tenant administration endpoint baseline soCephalon.MultiTenancy.Governance.AspNetCoremaps the optional fail-closedPOST /engine/tenant-administration/commandsendpoint overITenantAdministrationWorkflowand reportstenant-administration-http-endpointsruntime truth while still leaving tenant-admin UI, public onboarding, provider-specific invitation senders, and identity-provider sync outside the current proofSprint 68: shippedENG-256multi-tenancy governance invitation delivery dispatch baseline soCephalon.MultiTenancy.Governanceowns host-agnosticITenantInvitationDeliveryDispatcher,ITenantInvitationDeliverySender, delivery run catalog, outcome metadata,tenancy.invitation.delivery-dispatch, diagnostics4548-4549, and delivery readiness/run-state truth while still leaving email/SMS/chat/identity-provider sender implementations, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 69: shippedENG-257multi-tenancy governance HTTP invitation delivery sender baseline soCephalon.MultiTenancy.Governance.HttpDeliveryowns the optionalhttp-webhookITenantInvitationDeliverySender, configuration/code-first registration, bounded JSON webhook dispatch, provider-message id capture, diagnostics4550-4551, and focused runtime/tooling/reference-doc coverage while still leaving provider-specific email/SMS/chat/CRM/identity-provider connectors, durable retry queues, callbacks, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 70: shippedENG-258multi-tenancy governance HTTP invitation delivery webhook signing baseline soCephalon.MultiTenancy.Governance.HttpDeliverycan HMAC-sign the exact JSON body plus dispatch timestamp, emit signature/timestamp/key-id headers, and record safe signed-delivery metadata while still leaving provider-specific invitation connectors, durable retry queues, callback reconciliation, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 71: shippedENG-259multi-tenancy governance HTTP invitation delivery retry baseline soCephalon.MultiTenancy.Governance.HttpDeliverycan retry configured transient status codes and transport failures with bounded in-process attempts/backoff, fresh requests per attempt, and safe attempt/retry metadata while still leaving durable retry queues, provider-specific delivery-status callback endpoints or provider polling, provider-specific invitation connectors, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 72: shippedENG-260multi-tenancy governance HTTP invitation delivery idempotency baseline soCephalon.MultiTenancy.Governance.HttpDeliveryemits provider-neutral idempotency headers derived from tenant/invitation/channel/sender or caller-supplied dispatch metadata, keeps the key stable across retry attempts, and records safe idempotency metadata while still leaving durable retry queues, provider-specific delivery-status callback endpoints or provider polling, provider-specific invitation connectors, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 73: shippedENG-261multi-tenancy governance invitation delivery status reconciliation baseline soCephalon.MultiTenancy.Governancenow owns host-agnosticITenantInvitationDeliveryStatusReconciler, delivery status/status-outcome metadata,tenancy.invitation.delivery-status-reconciliation, diagnostics4552-4553, andtenant-invitations/tenant-administrationruntime metadata for latest provider or receiver status observations while still leaving provider-specific callback endpoints, provider polling, provider-specific invitation connectors, durable retry queues, public onboarding, tenant-admin UI, and identity-provider sync outside the current proofSprint 74: shippedENG-262behavior REST profile runtime ownership metadata baseline soCephalon.Behaviors.Httpnow keeps profile metadata explicitly non-publishing while/engine/rest-endpoints,/engine/rest-endpoint-candidates, andsnapshot.RestEndpointsexpose stable runtime metadata keys for application-owned publication activation, Cephalon-owned materialization/runtime catalog truth, profile metadata ownership, and explicit activation mode forMapProfile<TBehavior>()and generated-profile shorthands — issue #771Sprint 75: shippedENG-263eventing subscription execution binding catalog baseline soCephalon.Eventingnow exposesIEventSubscriptionExecutionBindingCatalogplus stableEventSubscriptionRuntimeMetadataKeys, while Wolverine remains an optional provider-managed binding proof instead of an engine requirement — issue #772Sprint 76: shippedENG-264eventing subscription execution readiness catalog baseline soCephalon.Eventingnow exposesIEventSubscriptionExecutionReadinessCatalogand projectsexecutionReadiness,executionPath, andexecutionReadinessReasonsthroughevent-subscriptionsfor declared-only, application-managed, hosted-execution-linked, and Wolverine runtime-bound paths — issue #773Sprint 77: shippedENG-265eventing subscription readiness operator-surface baseline so readiness contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingowns the implementation, ASP.NET Core exposes/engine/event-subscription-readiness, andsnapshot.EventSubscriptionExecutionReadinesscarries the same host-agnostic readiness answer - issue #774Sprint 78: shippedENG-266agentics tool-run operator-surface baseline so run-state contracts now live inCephalon.Abstractions.Agentics,Cephalon.Agenticsowns dispatcher/reporting implementation, ASP.NET Core exposes/engine/agent-tool-runs, andsnapshot.AgentToolRunscarries the same host-agnostic run-state answer - issue #775Sprint 79: shippedENG-267retrieval knowledge-index operator-surface baseline so index-state contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalowns indexing/query implementation, ASP.NET Core exposes/engine/knowledge-indexes, andsnapshot.KnowledgeIndexescarries the same host-agnostic index-state answer - issue #776Sprint 80: shippedENG-268retrieval reindex operator-action baseline so indexing command contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalowns the bounded reindex implementation, and ASP.NET Core exposesPOST /engine/knowledge-indexes/{collectionId}/reindexwithout taking a dependency on retrieval implementation types - issue #777Sprint 81: shippedENG-269agentics tool execution operator-action baseline so dispatcher command contracts now live inCephalon.Abstractions.Agentics,Cephalon.Agenticsowns the bounded tool-dispatch implementation, and ASP.NET Core exposesPOST /engine/agent-tools/{toolId}/runswithout taking a dependency on agentics implementation types - issue #778Sprint 82: shippedENG-270retrieval background reindex scheduler baseline soCephalon.Retrievalcan register an opt-in generic-host scheduler over the existingIKnowledgeIndexer, emitretrieval.background-reindexing, and surfacebackgroundReindexing*runtime metadata without claiming distributed scheduling, vector search, or provider-specific search ownership - issue #779Sprint 83: shippedENG-271eventing in-process subscription execution baseline so lightweight hosts can opt into a Cephalon-managed direct publisher over registeredIEventSubscriptionExecutorservices without requiring Wolverine or claiming durable broker/inbox/retry ownership - issue #780Sprint 84: shippedENG-272eventing publication operator-action baseline so publication command contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingowns the bounded dispatcher over the activeIEventPublisher, and ASP.NET Core exposesPOST /engine/event-publicationswithout taking a dependency on eventing implementation types - issue #781Sprint 85: shippedENG-273eventing in-process subscription retry baseline so the direct process-local publisher can retry transient executor failures with bounded attempts,retry-scheduledruntime observations, and explicit non-durable retry metadata without claiming broker-owned retry queues or distributed scheduling - issue #782Sprint 86: shippedENG-274eventing in-process subscription idempotency baseline so the direct process-local publisher can suppress duplicate completedsubscriptionId + publicationIdexecutions inside a bounded retention window, reportskippedruntime observations, and project explicit non-durable idempotency metadata without claiming durable inbox ownership or cross-node exactly-once delivery - issue #783Sprint 87: shippedENG-275eventing publication runtime operator-state baseline so publication runtime-state contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingreports direct in-processsucceeded/failed/skippedoutcomes and outbox-backedacceptedhandoff posture, ASP.NET Core exposes/engine/event-publications/runtime*, andsnapshot.EventPublicationStatescarries the same bounded publication answer without claiming downstream broker delivery - issue #784Sprint 88: shippedENG-276Wolverine bounded subscription retry terminal failure so the optional provider-managed subscription lane now projectsbounded-fixed-delayretry metadata, honorsSubscriptionMaxAttempts, reports exhausted attempts as terminalfailedruntime state, and stops requeueing poison subscription messages forever without making Wolverine an engine requirement - issue #785Sprint 89: shippedENG-277Wolverine dispatch terminal retry failure so the optional provider-managed dispatch loop now projectsbounded-fixed-delaydispatch retry metadata, honorsDispatchMaxAttempts, reports exhausted no-destination or publish failures as terminalfailedruntime state, and stops poison staged publications from re-entering pending dispatch reads without claiming broker-specific dead-letter ownership - issue #786Sprint 90: shippedENG-278Wolverine dispatch publish-exception terminal proof so the optional provider-managed dispatch loop now has focused coverage for realPublishAsync(...)exceptions: retryable publish failures keeprouting = publish,exceptionType, andnextRetryAtUtc, while exhausted publish failures become terminalfailedobservations and leave pending-dispatch reads without claiming broker-specific dead-letter ownership - issue #787Sprint 91: shippedENG-279first-class event-dispatch terminal-failure runtime posture so/engine/event-dispatches,/engine/event-dispatches/terminal-failures,/engine/event-dispatch-runtimes, technology surfaces, andsnapshot.EventDispatch*expose terminal dispatch failures through typed state/summary fields instead of forcing operators to parsereported.*metadata - issue #788Sprint 92: shippedENG-280Agentics bounded in-process retry posture soExecutionMaxAttemptscan retry failed managed tool executor attempts inside the dispatcher lane,retry-scheduledrun-state observations and/engine/agent-tool-runs/retry-pendingexpose pending process-local retries, and the agentics technology surface reports retry policy without claiming durable queues or provider AI orchestration - issue #789Sprint 93: shippedENG-281Agentics process-local duplicate-run idempotency posture soEnableExecutionIdempotencycan suppress duplicate completedtoolId + runIdexecutions inside the dispatcher lane,DuplicateCompletedplus/engine/agent-tool-runs/idempotency-duplicatesexpose the operator posture, and the agentics technology surface reports non-durable process-local idempotency without claiming durable inboxes, cross-node exactly-once delivery, or provider AI orchestration - issue #790Sprint 94: shippedENG-282Agentics approval-required and terminal-failure operator posture so/engine/agent-tool-runs/approval-required,/engine/agent-tool-runs/terminal-failures,AgentToolRunState.TerminalFailure, and the agentics technology surface expose approval-blocked and terminal failed tool runs without claiming durable approval workflows, dead-letter systems, durable queues, or provider AI orchestration - issue #791Sprint 95: shippedENG-283Retrieval query operator action seam so query command contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalowns the bounded lexical query implementation, and ASP.NET Core exposesPOST /engine/knowledge-indexes/{collectionId}/querieswithout taking a dependency on retrieval implementation types - issue #792Sprint 95: shippedENG-284Multi-tenancy invitation delivery status callback endpoint baseline soCephalon.MultiTenancy.Governance.AspNetCoreexposes fail-closed normalizedPOST /engine/tenant-invitations/delivery-statusingress overITenantInvitationDeliveryStatusReconcilerwith provider-message-match enforcement and runtime-surface truth - issue #793Sprint 95: shippedENG-285Multi-tenancy invitation delivery status callback signature verification baseline so that normalized callback endpoint can require provider-neutral Cephalon HMAC signatures over the exact JSON body, fail closed before reconciliation, and report signature verification posture without exposing secrets or signature values - issue #800Sprint 95: shippedENG-286Multi-tenancy invitation delivery status callback replay protection baseline so the signed normalized callback endpoint can reject duplicate signed requests inside a bounded process-local replay window, report replay policy/key/scope/durability/retention/cache posture, and stay explicit that provider-specific or distributed callback inboxes and cross-node replay protection remain future work - issue #801Sprint 95: shippedENG-287Multi-tenancy invitation delivery status observation store baseline so the host-agnostic reconciler records normalized accepted and denied delivery-status observations into an in-memory or opt-in local JSON store, reports observation-store kind/durability/scope/history/count/latest posture throughtenant-invitations, and stays explicit that provider-specific callback inboxes, provider polling, and distributed replay remain future work - issue #802Sprint 95: shippedENG-288Multi-tenancy invitation delivery status observation endpoint baseline so ASP.NET Core hosts can map bounded/filterableGET /engine/tenant-invitations/delivery-status/observationsreads overITenantInvitationDeliveryStatusObservationStore, report observation route/auth/limit posture throughtenant-invitation-delivery-status-http-endpoints, and stay explicit that provider-specific callback inboxes, provider polling, distributed replay ledgers, and exactly-once delivery remain future work - issue #803Sprint 95: shippedENG-289Multi-tenancy invitation delivery dispatch endpoint baseline so ASP.NET Core hosts can map fail-closedPOST /engine/tenant-invitations/delivery-dispatchesactions overITenantInvitationDeliveryDispatcher, report route/auth/status-mapping/boundary posture throughtenant-invitation-delivery-http-endpoints, and stay explicit that provider-specific senders, distributed retry queues, public onboarding, tenant-admin UI, identity-provider sync, and provider polling remain future work - issue #804Sprint 95: shippedENG-290Multi-tenancy invitation delivery durable retry queue baseline so the governance core can queue retryable sender failures through opt-inITenantInvitationDeliveryRetryStore, persist them to a local JSON file when configured, replay them through bounded manualITenantInvitationDeliveryRetryRunner.RetryPendingAsync(...), and report queue counts/latest retry posture throughtenant-invitationswithout claiming automatic background scheduling, distributed queues, cross-node leases, provider-specific senders, or exactly-once delivery - issue #805Sprint 96: shippedENG-291Multi-tenancy invitation delivery background retry scheduling baseline so the governance core can opt intoTenantInvitationDeliveryRetryHostedService, schedule the same bounded retry runner on startup/interval, reportITenantInvitationDeliveryRetryRuntimeCatalogstate anddeliveryRetryBackground*metadata throughtenant-invitations, and stay explicit that distributed queues, cross-node leases, provider-specific senders, provider polling/callback inboxes, public onboarding, tenant-admin UI, identity-provider sync, and exactly-once delivery remain future work - issue #806Sprint 97: shippedENG-292Multi-tenancy invitation delivery retry execution coordination baseline so manual and background retry passes share a process-local skip-overlap guard, overlapping passes returnalready-runningwithout dispatching or mutating the retry queue, andITenantInvitationDeliveryRetryExecutionCoordinationCatalogplusdeliveryRetryExecutionCoordination*metadata expose the runtime truth without claiming distributed queues, cross-node leases, or exactly-once delivery - issue #807Sprint 98: shippedENG-293Multi-tenancy invitation delivery SMTP sender baseline soCephalon.MultiTenancy.Governance.SmtpDeliveryowns the optionalsmtp-emailITenantInvitationDeliverySender, configuration/code-first registration, templated email preparation, deterministic SMTP message ids, safe context headers/metadata, replaceableISmtpInvitationDeliveryClient, diagnostics4558-4559, and focused runtime/tooling/reference-doc coverage while still leaving provider-specific email APIs such as SendGrid, Mailgun, SES, or Microsoft Graph, SMS/chat/CRM/identity-provider connectors, bounce/callback translation, provider polling, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #808Sprint 99: shippedENG-294Multi-tenancy invitation delivery SendGrid sender baseline soCephalon.MultiTenancy.Governance.SendGridDeliveryowns the optionalsendgrid-emailITenantInvitationDeliverySender, configuration/code-first registration, templated SendGrid Mail Send API payloads, safe context headers/custom arguments/categories, sandbox-mode validation, providerX-Message-IDcapture, replaceableISendGridInvitationDeliveryClient, diagnostics4560-4561, and focused runtime/tooling/reference-doc coverage while still leaving SendGrid Event Webhook callback translation, webhook signature verification, bounce handling, provider polling, dynamic-template lifecycle management, non-SendGrid email API connectors, SMS/chat/CRM/identity-provider connectors, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #809Sprint 100: shippedENG-295Multi-tenancy invitation delivery SendGrid Event Webhook callback translation baseline soCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCoreowns the optional fail-closedPOST /engine/tenant-invitations/delivery-status/sendgridtranslator, bounded SendGrid event-array parsing, Cephalon custom-argument extraction,sg_message_idtoX-Message-IDcorrelation, status vocabulary mapping, safe callback metadata, diagnostics4562,tenant-invitation-delivery-sendgrid-status-callbacks, and focused hosting/tooling/reference-doc coverage while still leaving SendGrid signed-webhook verification, durable callback inboxes, distributed replay protection, provider polling, dynamic-template lifecycle management, non-SendGrid callback translation, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #810Sprint 101: shippedENG-296Multi-tenancy invitation delivery SendGrid signed Event Webhook verification soCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorecan require SendGrid ECDSA-SHA256 signatures over timestamp plus exact raw request body bytes before JSON parsing or reconciliation, report safe signature posture through callback results, metadata, diagnostics4563, and the same runtime surface, and stay explicit that durable inboxes, distributed replay, provider polling, and non-SendGrid callback semantics remain outside this proof - issue #811Sprint 102: shippedENG-297Multi-tenancy invitation delivery SendGrid signed Event Webhook replay protection baseline soCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorecan reject duplicate verified signed callbacks inside a bounded process-local replay window, report safe replay posture through callback results, metadata, diagnostics4564, and the same runtime surface, and stay explicit that durable inboxes, distributed replay ledgers, provider polling, and exactly-once delivery remain outside this proof - issue #812Sprint 103: shippedENG-298Multi-tenancy invitation delivery SendGrid event-id idempotency baseline soCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorecan skip duplicate translatedsg_event_idobservations before reconciliation, report safe event-id idempotency posture through callback results, metadata, diagnostics4565, and the same runtime surface, and stay explicit that durable callback inboxes, distributed event-id ledgers, provider polling, and exactly-once delivery remain outside this proof - issue #813Sprint 104: shippedENG-299Multi-tenancy invitation delivery Mailgun sender baseline soCephalon.MultiTenancy.Governance.MailgunDeliveryowns the optionalmailgun-emailITenantInvitationDeliverySender, configuration/code-first registration, templated multipart Messages API payloads, safev:*variables andh:*headers, Mailgun test mode, provider JSONidcapture, replaceableIMailgunInvitationDeliveryClient, diagnostics4566-4567, and focused runtime/tooling/reference-doc coverage while at that point still leaving Mailgun callback translation/signature verification, provider polling, durable callback inboxes, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #814Sprint 105: shippedENG-300Multi-tenancy invitation delivery Mailgun webhook callback translation baseline soCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCoreowns the optional fail-closedPOST /engine/tenant-invitations/delivery-status/mailgunendpoint, bounded Mailgun JSON object/array parsing, user-variable context extraction,message.headers.message-idcorrelation, Mailgun status translation, safe callback metadata, diagnostics4568, and thetenant-invitation-delivery-mailgun-status-callbacksruntime surface while at that point still leaving Mailgun signature verification (laterENG-301), replay-token rejection (laterENG-302), event-id idempotency (laterENG-303), durable callback inboxes, distributed replay/event-id ledgers, provider polling, exactly-once delivery, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #815Sprint 106: shippedENG-301Multi-tenancy invitation delivery Mailgun signed webhook verification baseline soCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorecan require Mailgun HMAC-SHA256 verification overtimestamp + token, acceptsparent-signaturefor subaccount events when configured, rejects invalid signed callbacks before reconciliation, reports safe signature metadata plus diagnostic4569, and keeps replay-token rejection (laterENG-302), event-id idempotency (laterENG-303), durable callback inboxes, distributed replay/event-id ledgers, provider polling, and exactly-once delivery outside this proof - issue #816Sprint 107: shippedENG-302Multi-tenancy invitation delivery Mailgun signed webhook replay protection baseline soCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorecan reject duplicate verified Mailgun webhook tokens with409inside a bounded process-local retention window, stores only token fingerprints, reports safe replay metadata plus diagnostic4570, and keeps durable callback inboxes, distributed replay/event-id ledgers, provider polling, and exactly-once delivery outside this proof - issue #817Sprint 108: shippedENG-303Multi-tenancy invitation delivery Mailgun event-id idempotency baseline soCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorecan skip duplicate translatedevent-data.idobservations before reconciliation, report safe event-id idempotency posture through callback results, metadata, diagnostics4571, and the same runtime surface, and stay explicit that durable callback inboxes, distributed event-id ledgers, provider polling, and exactly-once delivery remain outside this proof - issue #818Sprint 109: shippedENG-304Multi-tenancy invitation delivery Microsoft Graph sender baseline soCephalon.MultiTenancy.Governance.MicrosoftGraphDeliveryowns the optionalmicrosoft-graph-emailITenantInvitationDeliverySender, configuration/code-first registration, templated GraphsendMailpayloads, safex-*internet message headers, Graph request-id metadata, replaceableIMicrosoftGraphInvitationDeliveryClientandIMicrosoftGraphInvitationDeliveryAccessTokenProviderseams, diagnostics4572-4573, and focused runtime/tooling/reference-doc coverage while still leaving Microsoft Entra app registration, permission consent, mailbox access policy, token-provider implementation beforeENG-305, delivery completion after Graph acceptssendMail, Graph change notifications, provider polling, callback inboxes, Amazon SES v2 handoff later shipped throughENG-306, additional provider-specific email APIs beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider connectors, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #819Sprint 110: shippedENG-305Multi-tenancy invitation delivery Microsoft Graph Azure Identity token provider baseline soCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentityowns optionalDefaultAzureCredential/explicitTokenCredentialaccess-token acquisition for the Microsoft Graph sender, configuration/code-first scopes, tenant id, managed-identity client id, authority-host selection, safe credential toggles, diagnostics4574-4575, and focused runtime/tooling/reference-doc coverage while still leaving Microsoft Entra app registration, GraphMail.Sendpermission consent, mailbox access policy, credential lifecycle policy beyond the selected Azure credential, delivery completion after Graph acceptssendMail, Graph change notifications, provider polling, callback inboxes, Amazon SES v2 handoff later shipped throughENG-306, additional provider-specific email APIs beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider connectors, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #820Sprint 111: shippedENG-306Multi-tenancy invitation delivery Amazon SES sender baseline soCephalon.MultiTenancy.Governance.AmazonSesDeliveryowns the optionalamazon-ses-emailITenantInvitationDeliverySender, configuration/code-first registration, templated SES v2SendEmailpayloads, safe region/configuration-set/status/message-id/tag/recipient metadata, replaceableIAmazonSesInvitationDeliveryClientseam, diagnostics4576-4577, and focused runtime/tooling/reference-doc coverage while still leaving AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox exit, configuration-set event destination setup, provider polling, callback inboxes, SMS/chat/CRM/identity-provider connectors, distributed queues, public onboarding, tenant-admin UI, and identity-provider sync outside this proof; Amazon SES over SNS callback translation later shipped throughENG-307- issue #821Sprint 112: shippedENG-307Multi-tenancy invitation delivery Amazon SES SNS callback translation baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCoreowns the optional fail-closedPOST /engine/tenant-invitations/delivery-status/amazon-sestranslator, bounded SNSNotificationparsing, SES event JSON unwrapping, Cephalonmail.tagscontext extraction,mail.messageIdcorrelation, SES delivery status mapping, safe callback metadata, diagnostics4578, andtenant-invitation-delivery-amazon-ses-status-callbackswhile SNS signature verification, process-local SNS replay protection, SNS message-id idempotency, and verified SNS subscription confirmation later shipped throughENG-308,ENG-309,ENG-310, andENG-311; durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync remain outside this proof - issue #822Sprint 113: shippedENG-308Multi-tenancy invitation delivery Amazon SES SNS signature verification baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorecan require SNS envelope verification before translation, enforce signature version 2 and allowedTopicArnby default, validate HTTPS Amazon SNS signing-certificate URLs, optionally use pinned PEM certificates for controlled tests, record safe signature metadata, emit diagnostics4579, and report signature-version/topic/certificate posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile process-local SNS replay protection, SNS message-id idempotency, and verified SNS subscription confirmation later shipped throughENG-309,ENG-310, andENG-311; durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync remain outside this proof - issue #823Sprint 114: shippedENG-309Multi-tenancy invitation delivery Amazon SES SNS replay protection baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorecan reject duplicate verified SNS callbacks by bounded process-localTopicArnplusMessageIdfingerprints before reconciliation, record safe replay metadata, emit diagnostics4580, and report replay policy/key/scope/durability/retention/cache posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile still leaving observation-store-backed SNS message-id idempotency toENG-310and verified SNS subscription confirmation toENG-311; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #824Sprint 115: shippedENG-310Multi-tenancy invitation delivery Amazon SES SNS message-id idempotency baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorecan skip duplicate translated SNSMessageIdobservations before reconciliation throughITenantInvitationDeliveryStatusObservationStore, return aggregateduplicateEventsplus per-eventduplicate-skippedoutcomes, record safe idempotency metadata, emit diagnostics4581, and report message-id idempotency policy/key/scope/store-durability posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile still leaving verified SNS subscription confirmation toENG-311; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #825Sprint 116: shippedENG-311Multi-tenancy invitation delivery Amazon SES SNS subscription confirmation baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorecan confirm verified SNSSubscriptionConfirmationenvelopes from allowed topics through replaceableIAmazonSesSnsSubscriptionConfirmationClient, return subscription-confirmation aggregate fields, emit diagnostics4582-4583, and report confirmation ownership/policy/timeout posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile still leaving SNS topic/subscription creation, SES event-destination setup, subscription lifecycle governance, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #826Sprint 117: shippedENG-312Multi-tenancy invitation delivery Amazon SES SNS unsubscribe confirmation observation baseline soCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorecan observe verified SNSUnsubscribeConfirmationenvelopes from allowed topics, validate but never invokeSubscribeURL, return unsubscribe-confirmation aggregate fields, emit diagnostic4584, and report unsubscribe-confirmation ownership/action/SubscribeURL posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile still leaving SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI, and identity-provider sync outside this proof - issue #827Sprint 118: shippedENG-313Multi-tenancy delivery status observation rollup operator summary soCephalon.MultiTenancy.Governance.AspNetCorereturns filtered status/outcome/source/channel/sender/tenant summaries with boundedGET /engine/tenant-invitations/delivery-status/observationsresponses, reports observation-summary ownership/scope/dimensions throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that provider-specific callback inboxes, provider polling, distributed replay ledgers, and exactly-once delivery remain future work - issue #828Sprint 119: shippedENG-314Multi-tenancy delivery status observation attention drill-down baseline soCephalon.MultiTenancy.Governance.AspNetCoreclassifies matched observations into stable attention categories, supportsattention=drill-down filtering fordelivery-failed,delivery-deferred,delivery-suppressed,delivery-unknown,reconciliation-gap, andrecording-gap, reports attention ownership/scope/categories throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that this remains an operator/audit projection over normalized observations, not provider-specific callback inbox, provider polling, distributed replay, or exactly-once delivery ownership - issue #829Sprint 120: shippedENG-315Multi-tenancy delivery status observation remediation hints baseline soCephalon.MultiTenancy.Governance.AspNetCorederives deterministic remediation hints from matched normalized observations before response limiting, exposes stable action labels plus hint descriptors with counts/latest timestamps/drill-down filters, reports remediation-hint ownership/scope/actions throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that these are operator guidance only, not provider polling, distributed remediation execution, callback inbox, distributed replay, or exactly-once delivery ownership - issue #830Sprint 121: shippedENG-316Multi-tenancy delivery status observation remediation action filter baseline soCephalon.MultiTenancy.Governance.AspNetCorecan summarize matched observations by stable remediation action, supportsremediation=drill-down filtering over the same normalized observation set, reports remediation-filter ownership/scope throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that this is an operator/audit projection only, not provider polling, distributed remediation execution, callback inbox, distributed replay, or exactly-once delivery ownership - issue #831Sprint 122: shippedENG-317Multi-tenancy delivery status observation provider-message drill-down baseline soCephalon.MultiTenancy.Governance.AspNetCorecan summarize matched observations byproviderMessageId, supportsproviderMessageId=drill-down filtering over the same normalized observation set, reports provider-message filter ownership/scope throughtenant-invitation-delivery-status-http-endpoints, and stays explicit that this is an operator/audit projection only, not provider polling, provider-specific callback inbox, distributed replay, or exactly-once delivery ownership - issue #832Later / not scheduled yet: actual DNS proof publication, provider-backed proof publication or mutation, remediation execution beyond status transitions, distributed or provider-backed membership/invitation/domain/action-store backends, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider invitation senders, Microsoft Entra app registration/permission consent/mailbox access policy, AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox/configuration-set event destination setup, SNS topic/subscription creation, automatic resubscribe/restore, subscription lifecycle governance, distributed retry queues, provider-specific or distributed callback inboxes, cross-node callback replay protection, distributed event-id ledgers, provider-specific callback payload translation beyond shipped SendGrid/Mailgun/Amazon SES translators, provider-specific callback signature verification beyond shipped SendGrid/Mailgun/Amazon SNS hardening, provider polling, identity-provider synchronization, public onboarding, and tenant-admin UI/backoffice flows forCephalon.MultiTenancy.Governance, further cloud/platform integrations beyond the shipped phase 6 baseline,ENG-054hybrid-runtime service-mesh and serverless expansion, and future solution-level expansion only when an explicit adoption scenario needs them
Planning principles
Section titled “Planning principles”- prefer stabilizing the shipped surface over inventing new layers too early
- keep the engine configuration-driven and host-agnostic by default
- keep logical data selection separate from physical database topology so one codebase can move between layouts without rewriting hosts
- keep future-facing technology choices additive through explicit technology profiles instead of blueprint explosion
- treat scaffolding, CLI, and benchmark coverage as part of the engine product, not side tools
- make every new runtime feature observable, testable, and benchmarkable
- prove one relational-first golden path before widening provider-family or hybrid-runtime claims
- keep orchestration additive and delay distributed runners until package loading, lifecycle, and policy are strong enough
- make every mixed-maturity family declare whether a surface is
taxonomy-only,application-managed,cephalon-managed, orprovider-managedbefore broadening the claim - treat the eventing-family proof as landed through
ENG-231plus theENG-263/ENG-264/ENG-265read seams, theENG-271core in-process execution lane, theENG-272bounded publication operator action, theENG-273bounded process-local retry proof, theENG-274bounded process-local idempotency proof, theENG-275publication runtime-state read proof, theENG-276optional Wolverine bounded provider-managed subscription retry proof, theENG-277/ENG-278optional Wolverine bounded provider-managed dispatch terminal proofs, and theENG-279first-class terminal dispatch-state operator posture, the agentics-family proof as landed throughENG-232plus theENG-266/ENG-269operator seams,ENG-280bounded process-local retry posture,ENG-281bounded process-local duplicate-completed idempotency posture, andENG-282approval-required plus terminal-failure operator posture, and the retrieval-family proof as landed throughENG-233plus theENG-267/ENG-268/ENG-270/ENG-283operator and scheduler seams, then keep the same narrow managed-proof bias over broad descriptor growth in remaining mixed-maturity families - treat intentional metadata-only or catalog-only work as valid only when docs, planning, and runtime surfaces label it honestly
Phase 0: Foundation shipped
Section titled “Phase 0: Foundation shipped”Status: substantially complete
What is already in place:
- app model and blueprint contracts
- technology-profile contract for future-facing workload guidance
- module discovery and dependency ordering
- lifecycle baseline with runtime status
- manifest v2 and runtime introspection endpoints
- ASP.NET Core and worker host adapters
- transport adapter split
- scaffold generation and CLI baseline
- observability baseline
- benchmark baseline
What still belongs to foundation hardening:
- richer runtime failure and restart policies beyond the shipped baseline
- more actionable diagnostics for module/package authors
Phase 1: SDK hardening and external adoption
Section titled “Phase 1: SDK hardening and external adoption”Status: substantially complete
Goal: turn the current repo from “good internal foundation” into something other teams can adopt predictably.
Deliverables:
- package/version compatibility guidance
- CLI polish for real developer workflows
- generated output that stays aligned across
Cephalon.Scaffolding,Cephalon.Cli,Cephalon.TemplatePack, and the repository package catalog - GraphQL transport delivery that keeps the runtime catalog, scaffold output, tests, and component docs aligned with the adapter split
- DocFX-ready XML comments across the supported published assembly set, with tests kept outside that publishing boundary unless promoted intentionally
- technology profiles that stay aligned across runtime introspection, scaffolding, CLI, and template defaults
- companion packages that turn selected technology profiles into reusable runtime primitives without bloating the engine core
- module-authoring starters and reference packages that stay aligned with runtime contracts
- operational polish on top of the shipped failure-policy and health/telemetry baselines
Exit criteria:
- a new team can create a Cephalon app without copying code out of this repo manually
- a new module can be authored from a supported starter path
- generated apps, docs, package references, and install surfaces stay aligned with the shipped engine conventions
Current note:
- the supported phase-1 adoption baseline is now shipped across public-surface hardening, GraphQL transport delivery, compatibility guidance, DocFX-ready XML comments, the explicit test-harness visibility policy that keeps shared helpers internal while leaving only framework-required xUnit classes and a narrow reflective transport-contract exception public in
tests/Cephalon.Tests, the release package-artifact baseline that defines the intended shipped NuGet/template surface explicitly, the shipped checksum/provenance manifest follow-through underENG-032, and a dedicated.NET toolinstall surface forCephalon.Cli
Phase 2: Operational hardening
Section titled “Phase 2: Operational hardening”Status: substantially complete
Goal: make Cephalon safe to operate in real environments.
Deliverables:
- deeper readiness and liveness semantics beyond the shipped baseline
- richer runtime failure, stop, and restart policies beyond the shipped baseline
- richer structured diagnostics and event IDs across packages
ILoggerprovider integration such as Serilog when hosts need richer sinks, enrichers, or log-routing behavior without inventing a new logging abstraction- ASP.NET Core request/response logging with bounded body capture and trace/log correlation over the shared
ILoggerpipeline - clearer operational answers to “what loaded, what started, what failed, and why?”
- benchmark-driven performance guardrails for hot engine paths
Current inventory:
docs/operational-hardening-gap-inventory.mdnow records the shipped baseline versus the remaining phase-2 gaps so follow-through work stays grounded in the code that already exists- that inventory now includes shipped
Cephalon.Observability.OpenTelemetryandCephalon.Observability.Serilogcompanion packages plus shippedCephalon.Observability.CassandraDependencies,Cephalon.Observability.ClickHouseDependencies,Cephalon.Observability.ConsulDependencies,Cephalon.Observability.ElasticsearchDependencies,Cephalon.Observability.HttpDependencies,Cephalon.Observability.KafkaDependencies,Cephalon.Observability.MemcachedDependencies,Cephalon.Observability.MongoDbDependencies,Cephalon.Observability.MqttDependencies,Cephalon.Observability.MySqlDependencies,Cephalon.Observability.NatsDependencies,Cephalon.Observability.Neo4jDependencies,Cephalon.Observability.OpenSearchDependencies,Cephalon.Observability.OracleDependencies,Cephalon.Observability.PostgresDependencies,Cephalon.Observability.RabbitMqDependencies,Cephalon.Observability.RedisDependencies, andCephalon.Observability.SqlServerDependenciescompanion packages, together with a published runtime diagnostics catalog, runtime-story surface, configurable failure-policy warmup/drain/backoff semantics, opt-in ASP.NET Core request/response body logging with request/trace correlation plus default sensitive-value redaction, explicit release-validation guidance for health/export conventions, and refreshed benchmark guardrails that separate prepared composition/lifecycle hot paths plus strict trust-policy composition plus bounded, correlated, and concurrent ASP.NET Core request-logging paths from benchmark harness setup - the remaining cloud-vendor tracing/export follow-through has been re-scoped into phase 6 cloud and platform integrations because the expanded self-hosted plus AWS plus Azure plus GCP plus Huawei Cloud plus Alibaba Cloud plus Oracle Cloud plus DigitalOcean plus Red Hat OpenShift plus VMware Tanzu plus Kubernetes target list, together with the downstream Cloudflare/custom-provider guidance path and the now-explicit Grafana Cloud OTLP/header follow-through target, is broader than the shipped phase-2 operational baseline
Exit criteria:
- operators can diagnose engine startup and module failures quickly
- host health semantics are predictable across ASP.NET Core and worker hosts
- performance regressions in composition/runtime/scaffolding are caught intentionally
Phase 3: Extensibility and package loading
Section titled “Phase 3: Extensibility and package loading”Status: substantially complete
Goal: let Cephalon load and validate independently shipped module packages.
Current baseline already in place:
- explicit package assembly paths can be declared through
Engine:Discovery:Packages - package manifests can be declared through
Engine:Discovery:Packages - package directories can be scanned through
Engine:Discovery:PackageDirectories - package metadata can be governed through
Engine:PackagePolicy - package manifests can declare package-to-package dependencies with version bounds
- package-loaded modules flow through the same runtime/module contracts
- package load results are exposed through
/engine/packagesand manifest v2 metadata - package trust and capability policy are exposed through
Engine:Trustand/engine/trust-policy - package publisher and signer provenance can be declared and evaluated through package manifests and trust allow-lists
- detached package signatures can be cryptographically verified against trusted public keys or trusted signing certificate chains
- package manifests can declare external distribution metadata and provenance metadata that stay visible through
/engine/packages - module-author guidance now covers release-channel, package URI, source revision, build URI, and provenance statement hints for externally distributed packages
Exit criteria:
- Cephalon can load distributable module packages without relying on one monolithic app assembly
- package errors fail fast with actionable messages
Phase 4: Execution and orchestration model
Section titled “Phase 4: Execution and orchestration model”Status: substantially complete
Goal: expand from a composition engine into a richer execution platform.
Current baseline already in place:
- active modules can now contribute operator-facing execution graphs through
IExecutionGraphContributor - active modules can now contribute operator-facing hosted executions through
IHostedExecutionContributor - execution graphs are surfaced through
IExecutionRuntimeCatalog,/engine/execution-graphs, and/engine/snapshot - hosted executions are surfaced through
IHostedExecutionRuntimeCatalog,/engine/hosted-executions, and/engine/snapshot - execution-graph lifecycle state is now surfaced through
/engine/runtime-storyand/engine/snapshot, including load, activate, and deactivate transitions - hosted-execution lifecycle state is now surfaced through
/engine/runtime-storyand/engine/snapshot, including load, activate, and deactivate transitions - execution-graph and hosted-execution lifecycle transitions now publish through the shared diagnostics catalog plus
cephalon.execution-graphs.transitionsandcephalon.hosted-executions.transitions - agentic tools can now link back to capability keys, execution graphs, and hosted executions through the existing
Cephalon.Agenticscontract instead of inventing a parallel orchestration registry /engine/technology-surfacesand/engine/snapshotnow project those linked AI/orchestration entries with live runtime-story state- graph descriptors stay additive to the existing module/capability model through module ids and capability-key references
- hosted-execution descriptors stay additive to the existing module and Generic Host model instead of introducing a separate engine-owned runner
- invalid graph ids, entry nodes, edges, module references, and capability references now fail during build instead of leaking broken runtime metadata
- invalid hosted-execution ids, source-module references, and cross-module execution-graph references now fail during build instead of leaking broken runtime metadata
- invalid agent-tool references to unknown capability keys, execution graphs, or hosted executions now fail when the agentic tool catalog is resolved instead of leaking broken orchestration metadata
Exit criteria:
- orchestration features build on the same runtime model instead of bypassing it
- long-running engine behavior is observable and policy-driven
Phase 5: Solution-level platform
Section titled “Phase 5: Solution-level platform”Status: substantially complete
Goal: support higher-level solution shapes, not only individual Cephalon apps.
Current baseline already in place:
SuiteScaffoldPlanandSuiteScaffoldServicenow define a separate suite-level scaffold contract for shared projects, shared folders, and per-service slotsScaffoldScopes.Suitenow marks suite-owned shared assets explicitly instead of overloading the current single-app scaffold scopes- the first suite-shape validation baseline now fails when service-slot dependencies or shared-folder ownership point at undeclared suite identities
SuiteBlueprintandBuiltInSuiteBlueprintsnow define a built-inMicroserviceSuiteblueprint that composes repeatable service slots from the existingMicroserviceapp blueprint- suite shared-foundation defaults now reuse the shipped
Microservicefoundation template and package hints instead of defining a second disconnected service-level project shape samples/Cephalon.Sample.MicroserviceSuitenow demonstrates a shared foundation project plus separate catalog and orders services on top of the existingMicroservicehost wiringshared/Cephalon.Sample.MicroserviceSuite.Governancenow demonstrates a shared governance package that keeps optional gateway/control-plane guidance additive to the suite sample instead of folding it into the engine or suite contract
Deliverables:
MicroserviceSuiteblueprint composed from the existing app-levelMicroservicescaffold contract is now shipped- solution-level samples for multiple Cephalon services are now shipped
- shared governance/convention packages are now shipped in the suite sample baseline
- optional gateway or control-plane guidance is now documented as an additive sample-level layer rather than a required suite-contract feature
Exit criteria:
- Cephalon can describe and scaffold not only one service, but an intentional suite of services
- the suite model still reuses the same engine, blueprint, and package contracts
Phase 6: Cloud and platform integrations
Section titled “Phase 6: Cloud and platform integrations”Status: later
Goal: add deployment-targeted companion integrations without pushing vendor assumptions into the engine core.
Current baseline already in place:
- cloud-neutral OTLP exporter wiring through
Cephalon.Observability.OpenTelemetry - the shared
Microsoft.Extensions.Logging.ILoggerpipeline plusCephalon.Observability.Serilog - correlated ASP.NET Core request/response logging through
Engine:Observability:HttpLogging - host-agnostic runtime, diagnostics, health, and validation surfaces that later cloud-targeted companions can build on
- self-hosted collector and runtime defaults plus Azure Monitor, AWS, GCP, Huawei Cloud, Alibaba Cloud, Oracle Cloud, Red Hat OpenShift, DigitalOcean, VMware Tanzu, and Kubernetes are now shipped as the first slices on top of the cloud-neutral OTLP baseline,
#120has now shipped downstream Cloudflare/custom-provider authoring guidance because current Cloudflare docs center Worker-native telemetry export to third-party OTLP destinations rather than a generic external-host sink,#126has now shipped Grafana Cloud OTLP endpoint wiring plus access-policy-backed auth headers, and#127has now shipped New Relic native OTLP/api-key guidance as the latest explicit vendor-specific child
Deliverables:
- self-hosted observability companion follow-through for OTLP-collector-managed deployments and host-managed runtime defaults is now shipped
- Azure Monitor companion follow-through as the first explicit cloud-specific slice on top of the shared OpenTelemetry baseline is now shipped
- AWS companion follow-through as the second explicit cloud-specific slice on top of the shared OpenTelemetry baseline is now shipped
- GCP companion follow-through is now shipped as the third explicit cloud-specific slice on top of the shared OpenTelemetry baseline
- Huawei Cloud companion follow-through is now shipped as the fourth explicit cloud-specific slice on top of the shared OpenTelemetry baseline
- Alibaba Cloud companion follow-through is now shipped as the fifth explicit cloud-specific slice on top of the shared OpenTelemetry baseline
- Oracle Cloud companion follow-through is now shipped as the latest cloud-specific slice on top of the shared OpenTelemetry baseline, centered on Oracle Cloud APM traces/metrics ingestion plus hosted Oracle defaults instead of folding Oracle-specific data-upload and data-key rules back into the generic OTLP package
- Red Hat OpenShift companion follow-through is now shipped as the latest platform-first slice on top of the shared OpenTelemetry baseline
- DigitalOcean companion follow-through is now shipped as the latest collector-first slice on top of the shared OpenTelemetry baseline, centered on runtime defaults and collector handoff instead of an over-claimed managed OTLP exporter path
- VMware Tanzu companion follow-through is now shipped as the latest proxy-first slice on top of the shared OpenTelemetry baseline, centered on Wavefront proxy handoff and hosted Tanzu defaults instead of a generic vendor-direct OTLP exporter claim
- Kubernetes companion follow-through is now shipped as the latest platform-neutral collector-first slice on top of the shared OpenTelemetry baseline, centered on in-cluster collector wiring and generic cluster resource defaults instead of a vendor-specific managed exporter claim
- downstream Cloudflare and custom-provider companion authoring guidance is now shipped under
#120, keeping the remaining Cloudflare follow-through honest about the current Worker-native export model instead of promising a generic first-party host-side sink - Grafana Cloud companion follow-through is now shipped as the latest explicit OTLP endpoint/auth-header slice on top of the shared OpenTelemetry baseline, centered on direct Grafana Cloud endpoint wiring plus access-policy-backed auth headers while keeping the collector-first path available
- New Relic companion follow-through is now shipped as the latest explicit native OTLP endpoint/api-key slice on top of the shared OpenTelemetry baseline, centered on region-aware endpoint defaults plus required
api-keyheader guidance while keeping the collector-first path available - exporter wiring, auth, resource-attribute conventions, and hosted-runtime defaults that stay inside companion packages instead of
Cephalon.Engine - documentation, validation, and planning guidance that make the supported targets, deployment assumptions, and downstream companion-package authoring path explicit
- a clear package split whenever different clouds or platforms need distinct companion packs instead of one overloaded abstraction
Exit criteria:
- self-hosted collector and runtime defaults can be enabled on top of the shipped OTLP baseline without modifying
Cephalon.EngineorCephalon.Abstractions - supported cloud and platform integrations can be enabled without modifying
Cephalon.EngineorCephalon.Abstractions - downstream developer-authored provider packages can reuse the shared telemetry contract without modifying
Cephalon.EngineorCephalon.Abstractions - the shared
ILoggerpipeline and cloud-neutral OTLP baseline remain intact - docs, validation flows, and planning metadata make the supported targets explicit
Phase 7: External adoption and operator readiness
Section titled “Phase 7: External adoption and operator readiness”Status: substantially complete
Goal: let external teams install, validate, package, and run Cephalon outside this repository without repo-only tribal knowledge.
Current baseline already in place:
Cephalon.Clialready ships a workingnewcommand plus hosted-reference-doc workflowsCephalon.TemplatePackalready ships installable blueprint and module starters- sample apps and a reference module package already prove the main blueprint and package-authoring shapes inside the repo
- package manifests, trust policy, package policy, and
/engine/packagesalready expose the runtime package-loading contract - runtime status, health, diagnostics, runtime-story, and telemetry-export surfaces already give operators a truthful runtime answer once a host is running
- release validation, package publishing, and template/tool install smoke coverage already existed before phase 7, even though they started from a Windows-first baseline
Deliverables:
- cross-platform script, shell, and CI parity for the repo-native validation, packaging, and install surfaces
- a first-run adoption path with an environment-doctor or equivalent self-check flow in
Cephalon.Cli - a machine-readable deployment-mode support contract that keeps trim / Native AOT / single-file support claims aligned with readiness validation, package-publishing guidance, and human-facing docs before Cephalon widens its external support matrix
- a generated-app bootstrap verification follow-through that reuses
cephalon doctorto validate a scaffolded app root, package-source baseline, host project, and publish profile before the first restore, run, publish, or deployment replay - an end-to-end external module-package lifecycle prove-out that exercises publish, trust, load, and runtime introspection outside the repo-local assembly path
- a containerized local runtime/operations sample path that proves health, config-loading, and telemetry/export handoff under Docker Desktop or WSL-friendly environments without pushing Docker-specific behavior into the engine core
- generated-app bootstrap assets and package-source guidance that let a freshly scaffolded app restore, build, and run from a seeded local feed or a replaced external source without rediscovering Cephalon’s package assumptions
- a generated-app published-output baseline that proves scaffolded hosts can be folder-published, started from published artifacts, and inspected through the shipped runtime, health, and docs surfaces
- a generated-app Windows Service deployment baseline that proves scaffolded hosts carry an installable self-hosted Windows service-manager shape after publish without inventing platform-specific packaging from scratch
- a generated-app IIS deployment baseline that proves scaffolded hosts carry a hosted Windows site/app-pool shape after publish without inventing platform-specific ASP.NET Core Module packaging from scratch
- a generated-app Azure App Service deployment baseline that proves scaffolded hosts carry a hosted Azure ZIP-deploy shape after publish without inventing cloud-specific packaging from scratch
- a generated-app container-image publishing baseline that proves scaffolded hosts carry a provider-neutral build/tag/push image shape from the generated Dockerfile and app root without inventing a registry workflow from scratch
- a generated-app Azure Container Apps deployment baseline that proves scaffolded hosts carry a hosted Azure source-deploy shape from the generated Dockerfile and app root without inventing cloud-specific container-deploy packaging from scratch
- a generated-app Kubernetes deployment baseline that proves scaffolded hosts carry a platform-neutral manifest/apply shape from the generated Dockerfile and app root without inventing a second cluster-deploy packaging workflow from scratch
- a generated-app Linux
systemddeployment baseline that proves scaffolded hosts carry an installable self-hosted service-manager shape after publish without inventing platform-specific packaging from scratch
Current status as of April 29, 2026:
ENG-033is implemented: repo-native validation, package publishing, and reference-doc flows now run throughpwsh-friendly scripts with Windows and Ubuntu CI legsENG-034is implemented:Cephalon.Clinow shipscephalon doctor, and the repo now has a dedicated getting-started path plus aligned help/readme guidanceENG-035is implemented: published module.nupkgartifacts can now be staged throughcephalon package stage, loaded from out-of-tree package directories, and verified through trust/policy/runtime-introspection coverageENG-036is implemented: the modular monolith sample now ships a Dockerfile, compose stack, collector config, optional package-directory override, container-runtime docs, and an optional smoke script that verifies Docker Desktop / WSL-friendly runtime startup plus/health/*and/engine/*replayENG-037is implemented:cephalon newand the shippeddotnet newapp starters now emitNuGet.configplus a local package-feed placeholder, the shared prerelease package-version baseline is aligned again, and a real generated app has been verified through scaffold -> package publish -> build -> Docker compose smokeENG-038is implemented: scaffolded hosts and shippeddotnet newapp starters now emitProperties/PublishProfiles/CephalonFolder.pubxml, publish into deterministicartifacts/publish/<ProjectName>/output, and are verified through a real scaffold -> package publish -> folder publish -> run published output smoke pathENG-039is implemented: scaffolded hosts and shippeddotnet newapp starters now emit Linuxsystemddeployment assets underdeploy/linux/systemd/, and those generated units are verified through a real scaffold -> package publish -> folder publish -> WSLsystemd-analyze verifysmoke pathENG-040is implemented: scaffolded hosts and shippeddotnet newapp starters now emit Windows Service deployment assets underdeploy/windows-service/, and those generated install/remove scripts are verified through a real scaffold -> package publish -> folder publish -> install-preview smoke path against published outputENG-041is implemented: scaffolded hosts and shippeddotnet newapp starters now emit IIS deployment assets underdeploy/iis/, and those generated install/remove scripts plus the SDK-generated ANCMweb.configare verified through a real scaffold -> package publish -> folder publish -> install-preview smoke path against published outputENG-042is implemented: scaffolded hosts and shippeddotnet newapp starters now emit Azure App Service deployment assets underdeploy/azure-app-service/, and those generated ZIP packaging and deploy-preview scripts are verified through a real scaffold -> package publish -> folder publish -> run-from-package smoke path against the current Azure CLI contractENG-043is implemented: scaffolded hosts and shippeddotnet newapp starters now emit Azure Container Apps deployment assets underdeploy/azure-container-apps/, and those generated source-deploy scripts are verified through a real scaffold -> package publish -> local Docker build -> deploy-preview smoke path against the current Azure CLI contractENG-044is implemented: scaffolded hosts and shippeddotnet newapp starters now emit Kubernetes deployment assets underdeploy/kubernetes/, and those generated manifest/apply scripts are verified through a real scaffold -> package publish -> local Docker build ->kubectl kustomizepreview smoke path against the generated app rootENG-045is implemented: scaffolded hosts and shippeddotnet newapp starters now emit container-image publishing assets underdeploy/container-image/, and those generated build/tag/push scripts are verified through a real scaffold -> package publish -> local Docker build -> local-registry push smoke path against the generated app rootENG-209is implemented:Cephalon.Clinow extendscephalon doctorwith--app-root <path>so a freshly scaffolded app can truthfully validate its.slnx,Directory.Packages.propsbaseline,NuGet.configcephalonsource and package-source mapping, seeded local feed or external source, generated host project, andCephalonFolder.pubxmlprofile from one command path before restore, run, publish, or deployment workENG-213is implemented:cephalon doctor --app-root <path>now also validates the generatedDockerfileplus the shipped container-image, Azure Container Apps, and Kubernetes deployment assets and checks that the Dockerfile SDK/runtime base-image tags still align with the generated host target framework baseline before container deployment workENG-214is implemented:cephalon doctor --app-root <path>now also validates the shipped Windows Service, IIS, Azure App Service, and Linuxsystemddeployment assets and checks that those generated published-output baselines still align with the current host identity before self-hosted or hosted deployment workENG-215is implemented:cephalon doctor --app-root <path>now also validates the shippedcompose.yamlandotel-collector-config.yamllocal orchestration assets, checks that the generated compose baseline still aligns with the Dockerfile plus OTLP collector handoff, and checks that the collector config still exposeshealth_check,otlp/httpon4318, and the debug-exporter pipelines before localdocker compose up --buildworkENG-216is implemented:cephalon doctor --app-root <path>now also validates the generatedConfigurations/AddOpenApi.jsonandConfigurations/AddReferenceDocs.jsondocumentation-surface assets, checks that the generated OpenAPI title and hosted reference-doc settings stay explicit in split project config, and keeps/scalarplus optional hosted reference-doc posture visible before teams rely on those routesENG-217is implemented:cephalon doctor --app-root <path>now also validates the generatedConfigurations/AddEngine.*.jsonassets plusConfigurations/Observability/Development.json, checks that the scaffolded app-model, engine-feature, observability, localization, and development Serilog split-config baselines stay explicit, and keeps split project configuration posture visible before teams rely on those generated runtime, docs, or telemetry defaultsENG-218is implemented:cephalon doctor --app-root <path>now also validates the scaffoldedProgram.csbootstrap source plus the generated host-projectPackageReferenceset andConfigurations/**/*.jsoncopy/publish baseline, checks that explicitAddCephalonProjectConfigurationsplusMapCephalonwiring stay visible, and keeps host startup plus build/publish bootstrap posture visible before teams rely on edited startup codeENG-219is implemented:cephalon doctor --app-root <path>now also validates the generated test project plus scaffoldedArchitecture/CompositionSmokeTests.csandFeatures/*BehaviorSpecifications.csplaceholders, checks that starter composition smoke plus Given/When/Then seams stay explicit, and keeps the generated test harness truthful before teams replace those placeholders with real specsENG-220is implemented:cephalon doctor --app-root <path>now also validates the generated rootREADME.md,Configurations/README.md, and deploymentREADME.mdguidance assets, checks that generated package-source, split-config, publish, deployment, and local-orchestration instructions still align with the current app root, and keeps human-facing generated guidance visible before teams follow the scaffolded docs literallyENG-221is implemented:cephalon doctor --app-root <path>now also validates the generated.cephalon/packages/README.mdguidance asset, checks that local package-feed seeding plus shared-feed replacement instructions still align with the current app root, and keeps generated package-bootstrap guidance visible before teams seed packages or replace thecephalonsourceENG-223is implemented:cephalon doctor --app-root <path>now also validates the generated Kubernetes manifest content indeploy/kubernetes/kustomization.yaml,deploy/kubernetes/namespace.yaml,deploy/kubernetes/deployment.yaml, anddeploy/kubernetes/service.yaml, checks that namespace, labels, image placeholder, env, probe, andClusterIPservice seams still align with the current app root, and keeps platform-neutral Kubernetes manifest posture visible before teams rely on those shipped manifestsENG-224is implemented:cephalon doctor --app-root <path>now also validates the generateddeploy/windows-service/remove-service.ps1,deploy/iis/remove-site.ps1, anddeploy/linux/systemd/<App>.envassets, checks that Windows Service stop/delete flow, IIS site/app-pool teardown flow, and Linuxsystemdenvironment plus telemetry override hints still align with the current app root, and keeps teardown plus service-manager environment posture visible before teams rely on those operational assetsENG-225is implemented: the repo now shipsscripts/validate-generated-app-adoption.ps1as the scenario-driven external cold-start replay baseline,publish-package-artifacts.ps1now preserves an existing outputREADME.mdso generated local package-feed guidance survives package refreshes, and the install -> doctor -> scaffold -> seed local packages -> doctor —app-root -> restore -> build -> run -> route-probe loop is now provable from a temporary workspace outside the repository without relying on hidden repo contextENG-226is implemented: the repo now shipsscripts/validate-template-pack-adoption.ps1as the external cold-start template-pack parity replay baseline,cephalon doctornow honorsCEPHALON_DOCTOR_TEMPLATE_HIVEso isolated custom-hive installs can be validated from the same first-run command path, andcephalon doctor --app-root <path>now accepts template-pack project-root starters in addition to the CLI scaffold layout while preserving the same bootstrap, deployment-asset, and route-readiness truthENG-227is implemented: the repo now shipsscripts/validate-out-of-tree-package-adoption.ps1as the external out-of-tree package parity replay baseline, proving the temporary-feed install ->cephalon doctor-> scaffold -> seed local packages -> pack reference module ->cephalon package stage-> patchEngine:Discovery:PackageDirectoriesplusEngine:PackagePolicyandEngine:Trust-> doctor —app-root -> restore -> build -> run -> staged-package route and runtime-surface probe loop from a temporary workspace outside the repository without relying on hidden repo contextENG-228is implemented: the repo now shipsscripts/validate-signed-package-governance.ps1as the higher-assurance external package governance replay baseline, proving the temporary-feed install ->cephalon doctor-> scaffold -> seed local packages -> repackCephalon.ReferenceModule.Operationswith a deterministic detached signature ->cephalon package stage-> patchEngine:Discovery:PackageDirectoriesplus stricterEngine:PackagePolicyandEngine:Trust:TrustedSignaturePublicKeys-> doctor —app-root -> restore -> build -> run -> signed-package runtime and route probes, followed by a tampered-package denial path when signature verification is requiredENG-229is implemented: the repo now shipsscripts/validate-signed-package-certificate-chain-governance.ps1as the matching external certificate-chain trust replay baseline,scripts/validate-signed-package-governance.ps1now supports certificate-chain trust mode alongside public-key trust, and the same external-adoption lane now provesEngine:Trust:TrustedSignatureCertificatesplusEngine:Trust:TrustedSignatureCertificateAuthoritiessurfacetrusted-certificate-chainverification pluscertificateThumbprinttruth while still denying tampered signed packagesENG-230is implemented: the repo now ships the April 2026 engine surface maturity reset throughdocs/engine-surface-maturity-audit.md, refreshed roadmap/backlog/governance language, and explicitM0throughM4plus ownership-mode vocabulary so descriptor-first work, runtime truth, and execution-owning surfaces stop reading like the same maturity levelENG-231is implemented:Cephalon.Eventingnow ships host-agnostic managed subscription execution contracts and execution-binding vocabulary, whileCephalon.Eventing.Wolverinecan opt intoEnableSubscriptionExecutionon top ofEnableDispatchLoopso the repo now has one truthfulwolverine-managedevent-subscription execution lane with fixed-delay retry scheduling,eventing.subscribe, runtime-boundevent-subscriptionsmetadata, richerwolverine-adapterruntime state, regenerated reference docs, and focused composition/hosting/tooling validationENG-232is implemented:Cephalon.Agenticsnow ships a host-agnosticIAgentToolDispatcherplus executor, policy, observer, run-report, and run-catalog contracts so registered tools can execute through one Cephalon-managed lane, report approval/denial/success/failure state into theagent-toolstechnology surface, and prove the flow through the showcase sample without claiming broader autonomous planning, memory, retry, queue, or AI-provider orchestration ownershipENG-269is implemented: agentics dispatcher command contracts now live inCephalon.Abstractions.Agentics,Cephalon.Agenticsremains the implementation owner for descriptor resolution, policy decisions, executor invocation, observer notifications, and run-state reporting, and ASP.NET Core now exposesPOST /engine/agent-tools/{toolId}/runsso operators can trigger one bounded managed tool run without referencing the agentics implementation package - issue #778ENG-280is implemented:Cephalon.Agenticsnow adds bounded process-local retry settings for the managed dispatcher lane, reportsretry-scheduledobservations plus final run state, and projects non-durable retry policy metadata throughagentics.execution,agent-tools,/engine/agent-tool-runs/retry-pending, andsnapshot.AgentToolRunswhile durable retry queues, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain later package-owned work - issue #789ENG-281is implemented:Cephalon.Agenticsnow adds opt-in bounded process-local duplicate-completed suppression for managed tool runs, reports duplicate completedtoolId + runIdexecutions asskipped, exposesDuplicateCompletedplus/engine/agent-tool-runs/idempotency-duplicates, and projects non-durable idempotency policy metadata throughagentics.execution,agent-tools, andreported.*while durable inboxes, cross-node exactly-once delivery, durable retry queues, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain later package-owned work - issue #790ENG-282is implemented:Cephalon.Agenticsnow exposes approval-required and terminal-failure run posture as operator filters through/engine/agent-tool-runs/approval-requiredand/engine/agent-tool-runs/terminal-failures, addsAgentToolRunState.TerminalFailure, and projectsterminalFailuremetadata throughagent-toolswhile durable approval workflows, dead-letter systems, durable retry queues, autonomous planning, memory persistence, distributed scheduling, and provider-specific AI orchestration remain later package-owned work - issue #791ENG-233is implemented:Cephalon.Retrievalnow ships host-agnosticIKnowledgeDocumentProvider,IKnowledgeIndexer,IKnowledgeQueryEngine, and an implementation of the abstraction-levelIKnowledgeIndexCatalogcontract so registered knowledge collections can build one Cephalon-managed lexical index, execute bounded queries, report freshness plus query fingerprints into theknowledge-collectionstechnology surface, and prove the flow through the showcase sample without claiming vector databases, embeddings, durable or distributed search, rerankers, provider-specific semantic search, or distributed scheduler coordination ownershipENG-267is implemented: retrieval index-state read contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the implementation owner for document-provider ingestion, lexical indexing, bounded query execution, freshness calculation, and in-memory state, and ASP.NET Core now exposes/engine/knowledge-indexesplussnapshot.KnowledgeIndexesso operator tooling can read collection posture without referencing the retrieval implementation package - issue #776ENG-268is implemented: retrieval indexing command contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the implementation owner for provider ingestion, lexical indexing, freshness calculation, and index-state updates, and ASP.NET Core now exposesPOST /engine/knowledge-indexes/{collectionId}/reindexso operators can remediate a collection without referencing the retrieval implementation package - issue #777ENG-270is implemented:Cephalon.Retrievalnow registers an opt-in generic-host background reindex scheduler when ingestion andEnableBackgroundReindexingare enabled, runs over all registered collections or configured collection ids through the sameIKnowledgeIndexer, records safe scheduler metadata, and projectsretrieval.background-reindexingplusbackgroundReindexing*metadata while distributed scheduler coordination, vector search, durable indexes, and provider-specific search adapters remain later package-owned work - issue #779ENG-283is implemented: retrieval query command contracts now live inCephalon.Abstractions.Retrieval,Cephalon.Retrievalremains the implementation owner for bounded lexical query execution and runtime query observations, and ASP.NET Core now exposesPOST /engine/knowledge-indexes/{collectionId}/queriesso operators can query a collection without referencing the retrieval implementation package - issue #792ENG-271is implemented:Cephalon.Eventingnow registers an opt-in direct in-process event publisher whenEnableInProcessSubscriptionExecutionis enabled and matchingIEventSubscriptionExecutorservices exist, executes subscriptions through the sameIEventPublishercontract, reports subscription runtime state, and projectscephalon-managed,in-process-direct,retryPolicy = nonetruth through capabilities,event-publishers,event-subscriptions,/engine/event-subscription-readiness, andsnapshot.EventSubscriptionExecutionReadinesswhile durable broker dispatch, inbox/idempotency, retry queues, and distributed scheduling remain later package-owned work - issue #780ENG-272is implemented: event-publication command contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingowns the boundedIEventPublicationDispatcherimplementation over the activeIEventPublisher, ASP.NET Core exposesPOST /engine/event-publications, and publication metadata now flows into in-process subscription execution state while durable broker dispatch, inbox/idempotency, retry queues, distributed scheduling, and provider-specific inbound consumption remain later package-owned work - issue #781ENG-273is implemented:Cephalon.Eventingnow adds bounded process-local retry settings for the opt-in in-process subscription execution lane, retries transient executor failures inline before returning the publication result, recordsretry-scheduledobservations plus final runtime state, and projectsbounded-in-process, max-attempt, delay, non-durable, and process-local retry metadata through capabilities, bindings,event-publishers, andevent-subscriptionswhile durable broker retries, inbox/idempotency, retry queues, distributed scheduling, and provider-specific inbound consumption remain later package-owned work - issue #782ENG-274is implemented:Cephalon.Eventingnow adds opt-in bounded process-local duplicate-completed execution suppression for the in-process subscription lane, records successfulsubscriptionId + publicationIdexecutions in memory for the configured retention window, reports duplicates asskipped, and projects non-durable idempotency policy/key/scope/retention metadata through capabilities, bindings,event-publishers,event-subscriptions, andreported.*while durable inbox ownership, cross-node exactly-once delivery, broker deduplication, durable retry queues, distributed scheduling, and provider-specific inbound consumption remain later package-owned work - issue #783ENG-275is implemented: event-publication runtime-state contracts now live inCephalon.Abstractions.Data,Cephalon.Eventingreports the latest publication state throughIEventPublicationRuntimeCatalog, in-process publication observations distinguishsucceeded,failed, andskippedlocal execution posture with subscription counters, outbox-backed publication observations reportacceptedstaged handoff with downstream dispatch still separate, and ASP.NET Core exposes/engine/event-publications/runtime*plussnapshot.EventPublicationStateswithout claiming durable broker delivery - issue #784ENG-276is implemented:Cephalon.Eventing.Wolverinenow addsSubscriptionMaxAttempts, projectsbounded-fixed-delayretry policy plus max-attempt, delay, durability, and scope metadata througheventing.subscribe, binding metadata,event-subscriptions, and thewolverine-adapterruntime surface, and reports terminalfailedstate withretryExhausted = true/terminalFailure = truewhen the provider-managed subscription retry budget is exhausted - issue #785ENG-277is implemented:Cephalon.Eventing.Wolverinenow addsDispatchMaxAttempts, projectsbounded-fixed-delaydispatch retry policy plus max-attempt, delay, dispatch-store durability, and provider-managed scope metadata througheventing.wolverine.dispatch, dispatch runtime descriptors, dispatch reports, and thewolverine-adapterruntime surface, and reports terminalfailedstate withretryExhausted = true/terminalFailure = truewhen no-destination or publish failures exhaust the dispatch retry budget - issue #786ENG-234throughENG-261plusENG-284throughENG-312are implemented:Cephalon.MultiTenancynow stays narrow around tenant resolution and governance-boundary truth whileCephalon.MultiTenancy.Governanceowns the concrete companion proofs for membership catalog/evaluation, opt-in durable local membership storage, invitation catalog/validation, opt-in durable local invitation storage, host-agnostic invitation delivery dispatch/run-state/outcome persistence over registered sender extensions, opt-in local invitation delivery retry storage plus bounded retry execution, process-local retry execution coordination, and opt-in automatic background retry scheduling/run-state, host-agnostic invitation delivery status reconciliation over provider or receiver observations, opt-in durable local delivery-status observation storage, host-driven tenant-administration workflow commands over membership and invitation stores, declared domain-ownership catalog/validation, opt-in durable local domain-ownership storage, in-process domain-ownership verification workflow transitions, domain proof challenge issuance, domain proof publication planning, HTTP file proof publication state for host adapters, domain proof evaluation over reported evidence, bounded on-demand HTTP file proof collection, configured on-demand DNS TXT proof collection, domain proof verification runner orchestration, bounded on-demand proof polling, opt-in automatic background proof polling scheduling/run-state, approval/remediation action catalog/decision, in-process approval/remediation action workflow transitions, and opt-in durable local action storage, whileCephalon.MultiTenancy.Governance.AspNetCoreowns optional HTTP proof serving plus the fail-closed tenant-administration command endpoint, fail-closed invitation delivery dispatch endpoint, fail-closed normalized invitation delivery-status callback endpoint, opt-in provider-neutral callback signature verification, bounded process-local signed-callback replay protection, and bounded observation-history reads over the host-agnostic observation store,Cephalon.MultiTenancy.Governance.HttpDeliveryowns optional generic HTTP webhook invitation sending plus provider-neutral idempotency headers, HMAC request signing, and bounded in-process retry/backoff,Cephalon.MultiTenancy.Governance.SmtpDeliveryowns optional SMTP relay invitation sending with templated messages, deterministic message ids, safe context headers/metadata, and a replaceable client seam,Cephalon.MultiTenancy.Governance.SendGridDeliveryowns optional SendGrid Mail Send API invitation sending with templated payloads, safe context headers/custom arguments/categories, sandbox-mode validation, provider message-id capture, diagnostics4560-4561, and a replaceable client seam,Cephalon.MultiTenancy.Governance.MailgunDeliveryowns optional Mailgun Messages API invitation sending with templated multipart payloads, safe variables/headers, test-mode posture, provider message-id capture, diagnostics4566-4567, and a replaceable client seam,Cephalon.MultiTenancy.Governance.AmazonSesDeliveryowns optional Amazon SES v2 invitation sending with templatedSendEmailpayloads, safe region/configuration-set/status/message-id/tag/recipient metadata, diagnostics4576-4577, and a replaceable AWS SDK handoff seam,Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCoreowns optional Amazon SES over SNS callback translation, opt-in SNS signature verification, bounded process-local SNS replay protection, observation-store-backed SNS message-id idempotency, opt-in verified SNS subscription confirmation, and opt-in verified SNS unsubscribe-confirmation observation with diagnostics4578-4584and thetenant-invitation-delivery-amazon-ses-status-callbacksruntime surface,Cephalon.MultiTenancy.Governance.MicrosoftGraphDeliveryowns optional Microsoft GraphsendMailinvitation sending with templated JSON payloads, safex-*headers, Graph request-id capture, diagnostics4572-4573, and replaceable client/token-provider seams, andCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentityowns optional Azure Identity access-token acquisition for the Graph sender with diagnostics4574-4575without claiming actual DNS proof publication, provider-backed proof publication or mutation, remediation execution beyond state transitions, distributed or provider-backed governance storage, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider invitation senders, Microsoft Entra app registration/permission consent/mailbox access policy, AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox/configuration-set event destination setup, SNS topic/subscription creation, automatic resubscribe/restore, subscription lifecycle governance, distributed retry queues, cross-node retry leases, provider-specific or distributed callback inboxes, cross-node callback replay protection, provider-specific callback payload translation beyond shipped SendGrid/Mailgun/Amazon SES translators, provider-specific callback signature verification beyond shipped SendGrid/Mailgun/Amazon SNS hardening, provider polling, identity-provider synchronization, public onboarding, or tenant-admin UI/backoffice flows - issues #793, #800, #801, #802, #803, #804, #805, #806, #807, #808, #809, #810, #814, #819, #820, #821, #822, #823, #824, #825, #826, #827ENG-296is implemented:Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorenow also owns optional SendGrid signed Event Webhook verification with ECDSA-SHA256 over timestamp plus exact raw request body bytes, rejects invalid signed callbacks before parsing or reconciliation, records safe signature metadata, emits diagnostics4563, and keeps durable inboxes, distributed replay, provider polling, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores outside this proof - issue #811ENG-297is implemented:Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorenow also owns bounded process-local replay protection for verified SendGrid signed Event Webhook callbacks, rejects duplicate safe signature fingerprints with409before reconciliation, records safe replay metadata, emits diagnostics4564, and keeps durable inboxes, distributed replay ledgers, provider polling, cross-node exactly-once delivery, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores outside this proof - issue #812ENG-298is implemented:Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCorenow also owns observation-store-backed SendGrid event-id idempotency, skips duplicate translatedsendgrid:{sg_event_id}observations before reconciliation, records safe idempotency metadata, emits diagnostics4565, and keeps durable callback inboxes, distributed replay/event-id ledgers, provider polling, cross-node exactly-once delivery, non-SendGrid callback translation/signature semantics, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores outside this proof - issue #813ENG-299is implemented:Cephalon.MultiTenancy.Governance.MailgunDeliverynow owns optional Mailgun Messages API invitation sending with templated multipart payloads, safe context variables/headers, test mode, provider JSONidcapture, diagnostics4566-4567, and a replaceable Mailgun client seam while Mailgun callback translation later shipped throughENG-300, Mailgun signed-webhook verification later shipped throughENG-301, Mailgun replay-token rejection later shipped throughENG-302, and Mailgun event-id idempotency later shipped throughENG-303; provider polling, durable callback inboxes, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this sender proof - issue #814ENG-300is implemented:Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorenow owns optional Mailgun webhook callback translation into the existing delivery-status reconciler with bounded JSON parsing, user-variable context extraction, provider message-id normalization, safe callback metadata, diagnostics4568, and thetenant-invitation-delivery-mailgun-status-callbacksruntime surface while Mailgun signed-webhook verification later shipped throughENG-301, replay-token rejection later shipped throughENG-302, and event-id idempotency later shipped throughENG-303; durable callback inboxes, provider polling, exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #815ENG-301is implemented:Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorecan now require Mailgun HMAC-SHA256 signed webhook verification overtimestamp + token, supportssignature.parent-signaturefor subaccount events when enabled, rejects invalid or stale signed callbacks before reconciliation, records only safe signature posture metadata, emits diagnostics4569, and reportscephalon-managedsignature verification ownership throughtenant-invitation-delivery-mailgun-status-callbackswhile Mailgun replay-token rejection later shipped throughENG-302and event-id idempotency later shipped throughENG-303; durable callback inboxes, provider polling, exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #816ENG-302is implemented:Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorecan now reject duplicate verified Mailgun signed webhook tokens inside a bounded process-local replay window, stores only SHA-256 token fingerprints, returns409before reconciliation for duplicate tokens, records safe replay posture metadata, emits diagnostics4570, and reportscephalon-managedreplay ownership throughtenant-invitation-delivery-mailgun-status-callbackswhile durable callback inboxes, distributed replay/event-id ledgers, provider polling, exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #817ENG-303is implemented:Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCorenow also owns observation-store-backed Mailgun event-id idempotency, skips duplicate translatedmailgun:{event-data.id}observations before reconciliation, returnsDuplicateEventsplus per-eventduplicate-skippedoutcomes, records safe event-id idempotency metadata, emits diagnostics4571, and reportscephalon-managedidempotency ownership throughtenant-invitation-delivery-mailgun-status-callbackswhile durable callback inboxes, distributed replay/event-id ledgers, provider polling, exactly-once delivery, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #818ENG-304is implemented:Cephalon.MultiTenancy.Governance.MicrosoftGraphDeliverynow owns optional Microsoft GraphsendMailinvitation sending with templated JSON payloads, safe customx-*internet message headers, Graph request-id metadata capture, diagnostics4572-4573, a replaceable Graph HTTP client seam, and a replaceable access-token provider seam while Microsoft Entra app registration, permission consent, mailbox access policy, token-provider implementation beforeENG-305, delivery completion after Graph acceptssendMail, Graph change notifications, provider polling, durable callback inboxes, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #819ENG-305is implemented:Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentitynow owns optional Azure Identity access-token acquisition for the Microsoft Graph invitation sender with configuration/code-firstDefaultAzureCredentialsetup, explicitTokenCredentialinjection, Graph scope selection, tenant id, managed-identity client id, authority-host selection, safe credential toggles, diagnostics4574-4575, and replacement of the sender token-provider seam while Microsoft Entra app registration, GraphMail.Sendpermission consent, mailbox access policy, credential lifecycle policy beyond the selected Azure credential, Graph delivery completion/notifications, provider polling, durable callback inboxes, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #820ENG-306is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDeliverynow owns optional Amazon SES v2 invitation sending with templatedSendEmailpayloads, optional configuration set/reply-to/tags, safe region/configuration-set/status/message-id/tag/recipient metadata capture, diagnostics4576-4577, and a replaceable AWS SDK client seam while AWS account/IAM/identity verification, DKIM/SPF/DMARC, SES sandbox exit, configuration-set event destination setup, provider polling, durable callback inboxes, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof; Amazon SES over SNS callback translation later shipped throughENG-307- issue #821ENG-307is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns optional Amazon SES over SNS callback translation into the existing delivery-status reconciler with bounded SNSNotificationparsing, SES event JSON unwrapping, Cephalonmail.tagscontext extraction, SESmail.messageIdcorrelation, safe callback metadata, diagnostics4578, and thetenant-invitation-delivery-amazon-ses-status-callbacksruntime surface while SNS signature verification, process-local SNS replay protection, SNS message-id idempotency, verified SNS subscription confirmation, and verified SNS unsubscribe-confirmation observation later shipped throughENG-308,ENG-309,ENG-310,ENG-311, andENG-312; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #822ENG-308is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns opt-in Amazon SNS signature verification before Amazon SES callback translation, requires signature version 2 and allowedTopicArnvalues by default, validates HTTPS Amazon SNS signing-certificate URLs, supports pinned PEM certificates for controlled tests, validates certificate chain posture by default, records safe signature metadata, emits diagnostics4579, and projects signature-version/topic/certificate policy throughtenant-invitation-delivery-amazon-ses-status-callbackswhile process-local SNS replay protection, SNS message-id idempotency, verified SNS subscription confirmation, and verified SNS unsubscribe-confirmation observation later shipped throughENG-309,ENG-310,ENG-311, andENG-312; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #823ENG-309is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns bounded process-local replay protection for verified SNS-wrapped Amazon SES callbacks, stores safe fingerprints derived from verified SNSTopicArnplusMessageId, rejects duplicate verified callbacks with409 Conflictbefore reconciliation, records safe replay metadata, emits diagnostics4580, and projects replay policy/key/scope/durability/retention/cache posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile SNS message-id idempotency, verified SNS subscription confirmation, and verified SNS unsubscribe-confirmation observation later shipped throughENG-310,ENG-311, andENG-312; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #824ENG-310is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns observation-store-backed SNS message-id idempotency for Amazon SES callbacks, checks normalizedamazon-ses-sns:{MessageId}observation ids before reconciliation, skips duplicate translated events withduplicate-skippedoutcomes and aggregateduplicateEvents, records safe idempotency metadata, emits diagnostics4581, and projects message-id idempotency policy/key/scope/store-durability posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile verified SNS subscription confirmation and verified SNS unsubscribe-confirmation observation later shipped throughENG-311andENG-312; SES event-destination setup, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #825ENG-311is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns opt-in verified SNS subscription confirmation for Amazon SES callbacks throughEnableSnsSubscriptionConfirmation,SnsSubscriptionConfirmationTimeoutSeconds, andIAmazonSesSnsSubscriptionConfirmationClient, confirms only verifiedSubscriptionConfirmationenvelopes from allowed topics, validates trusted HTTPS Amazon SNSSubscribeURLvalues, returns subscription-confirmation aggregate fields, emits diagnostics4582-4583, and projects confirmation ownership/policy/timeout posture throughtenant-invitation-delivery-amazon-ses-status-callbackswhile verified SNS unsubscribe-confirmation observation later shipped throughENG-312; SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #826ENG-312is implemented:Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCorenow owns opt-in verified SNS unsubscribe-confirmation observation for Amazon SES callbacks throughEnableSnsUnsubscribeConfirmationObservation, observes only verifiedUnsubscribeConfirmationenvelopes from allowed topics, validates trusted HTTPS Amazon SNSSubscribeURLvalues, never invokesSubscribeURL, returns unsubscribe-confirmation aggregate fields, emits diagnostic4584, and projects unsubscribe-confirmation ownership/action/SubscribeURL policy throughtenant-invitation-delivery-amazon-ses-status-callbackswhile SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, durable callback inboxes, distributed replay/event-id ledgers, provider polling, public onboarding, tenant-admin UI/backoffice, identity-provider sync, and distributed/provider-backed governance stores remain outside this proof - issue #827- the planned phase-7 baseline plus the generated-app bootstrap, generated-app bootstrap verification, starter test-harness verification, published-output, local orchestration, container-image publishing, Windows/Linux self-hosted deployment follow-through, hosted Windows IIS path, hosted Azure App Service plus Azure Container Apps paths, platform-neutral Kubernetes path, external cold-start adoption replay, template-pack parity replay, out-of-tree package parity replay, detached-signature governance replay, and certificate-chain trust replay are now in place, so the next adoption work can stay scenario-driven and focus on broader external provenance or distribution follow-through instead of filling a known install/run/deploy gap
Exit criteria:
- a team can install the CLI or template pack, scaffold an app or module, and validate its environment on Windows or Linux-class shells without custom repo knowledge
- a team can rerun
cephalon doctor --app-root <path>against a freshly scaffolded app and get one truthful answer for generated-app bootstrap readiness, generatedProgram.csplus host-projectPackageReferenceandConfigurations/**/*.jsonbaseline posture, generated test-project plusCompositionSmokeTests.csandBehaviorSpecifications.csstarter-harness posture, generated guidance docs plus local package-feed guidance posture, generated self-hosted and hosted deployment assets plus generated container deployment-asset, Dockerfile-baseline, and local orchestration compose or collector posture, and copy/paste-ready restore or run next steps - the repo-native validation and packaging flow no longer depends on Windows-only shell assumptions
- an out-of-tree Cephalon package can be published, trusted, loaded, and inspected through the shipped runtime surfaces
- at least one adoption-quality sample host can be run through a documented containerized path that preserves the current
/engine/*,/health/*, and telemetry behaviors - a freshly scaffolded Cephalon app can restore, build, and take the documented container path after seeding or repointing the supported
cephalonpackage source - a freshly scaffolded Cephalon app can publish to a deterministic folder profile and run from published output with the expected runtime, health, and docs surfaces
- a freshly scaffolded Cephalon app can carry a documented Windows Service baseline with generated install assets and a verified install-preview path against published output
- a freshly scaffolded Cephalon app can carry a documented IIS site/app-pool baseline with generated install assets, the expected ANCM
web.config, and a verified install-preview path against published output - a freshly scaffolded Cephalon app can carry a documented Azure App Service ZIP-deploy baseline with generated packaging assets,
WEBSITE_RUN_FROM_PACKAGEguidance, and a verified Azure CLI preview path against published output - a freshly scaffolded Cephalon app can carry a documented container-image publishing baseline with generated build/tag/push assets, provider-neutral registry guidance, and a verified local-registry smoke path against the generated app root
- a freshly scaffolded Cephalon app can carry a documented Azure Container Apps source-deploy baseline with generated Docker assets,
az containerapp up --sourceguidance, and a verified Azure CLI preview path against the generated app root - a freshly scaffolded Cephalon app can carry a documented Kubernetes deployment baseline with generated manifest/apply assets,
kubectl kustomizeguidance, and a verified preview path against the generated app root - a freshly scaffolded Cephalon app can carry a documented Linux
systemdservice baseline with generated install assets and a verified self-hosted service-manager path - a team can replay the external cold-start adoption path from a temporary workspace by installing
Cephalon.Clifrom a package feed, runningcephalon doctor, scaffolding a fresh app, seeding the generated./.cephalon/packagesfeed without losing the generated README guidance, rerunningcephalon doctor --app-root <path>, restoring, building, running, and probing the generated host
Phase 8: Configurable application architecture and runtime primitives
Section titled “Phase 8: Configurable application architecture and runtime primitives”Status: in progress
Goal: let consumer apps keep one Cephalon codebase while switching architecture, data, messaging, identity, tenancy, and audit choices through configuration and additive companion packs instead of host rewrites or blueprint explosion.
Product principle for this phase: Cephalon should lower ceremony for consumer apps by absorbing repetitive plumbing, declarations, and host wiring so teams write less framework code and focus more of their codebase on business logic.
Current baseline already in place:
- configuration-driven
Blueprint,Patterns,Technologies, andTransportsthrough theEnginesection - built-in blueprints for
ModularMonolith,ModularVerticalSlice, andMicroservice - shipped pattern and technology catalogs plus additive technology companion-package wiring
- scaffold plans that already imply
Application/Domain/InfrastructureplusCommands/Queries/Policies/Strategiesstarter shapes - runtime snapshot, runtime-story, diagnostics, technology-surface, and package-introspection endpoints that later packs can extend without inventing a second control plane
- an observability companion-package ecosystem that already proves provider-specific follow-through can stay outside
Cephalon.EngineandCephalon.Abstractions ENG-046landed locally: phase-8 pattern and technology ids now exist with alias-aware resolution in the shipped catalogsENG-047landed locally: structuredEngine:Data,Engine:Identity,Engine:Tenancy,Engine:Audit, andEngine:Messagingsettings now flow into the resolved app profile with phase-8 prerequisite validationENG-048landed locally:Cephalon.Abstractionsnow carries host-agnostic data, authorization, tenancy, audit, and id contracts with XML comments, package-surface coverage, and reference-doc validation, andCephalon.Enginenow exposes merged projection, inbox, outbox, and authorization-policy catalogs through/engine/projections,/engine/inboxes,/engine/outboxes,/engine/authorization-policies, and/engine/snapshotENG-049is in progress locally:Cephalon.Datanow provides runtime-neutralIReadStore/IWriteStoredispatching backed by command/query handlers,Cephalon.Data.EntityFrameworknow registers single-context or split read/write Entity Framework CoreDbContextroles plus opt-in Entity Framework-backed inbox and outbox baselines and optionalSfid.EntityFrameworkconventions,Cephalon.Enginenow surfaces additive inbox/outbox catalogs throughIInboxCatalog,IOutboxCatalog,/engine/inboxes,/engine/outboxes, and/engine/snapshot, the Entity Framework pack now contributes staged-onlyoutbox-producersentries plus application-managedinbox-storesentries underevent-driven-integrationwhen that technology is active, the Entity Framework outbox now also exposes an adapter-neutralIEventDispatchStorewith durabledispatch_attempt_count/dispatched_at_utc/next_attempt_at_utcfollow-through for later shipped companion adapters, andCephalon.Ids.Sfidwraps the officialSfid.Netgenerator behindIIdGeneratorplus the official generator interface withEngine:Data:Ids:Sfidtopology support while richer projection persistence/runtime surfaces remain openENG-050is now in progress locally:Cephalon.Eventingexposes publicEventPublication,IEventPublisher,EventDispatchItem, andIEventDispatchStorecontracts, registers an outbox-backed staged publication path only when a realIOutboxexists, surfaces that truth througheventing.publishand theevent-publishersruntime surface, now also exposes declared subscription descriptors througheventing.subscriptionsand theevent-subscriptionsruntime surface, can report when an application-managed inbox store is available, can link declared subscriptions to hosted-execution descriptors plus execution graphs and runtime-story state when modules publish that metadata, now also carries application-managed subscription runtime-state/reporting plus stable diagnostics conventions for those outcomes, now also carries application-managed outbox-dispatch runtime-state/reporting throughIEventDispatchRuntimeReporter/IEventDispatchRuntimeCatalogwithreported.*metadata on the newevent-dispatchessurface, now projects configured dispatch-runtime descriptor metadata through those outbox-facing entries, now has a runtime-neutral bridge for later adapter-owned dispatch loops without claiming that the pack itself already owns broker dispatch, retries, or handler execution, and now ships an officialCephalon.Eventing.Wolverineadapter slice that can run as a thin host-wiring baseline withdispatchBridge = consumer-managedor as an opt-inwolverine-manageddurable staged-dispatch loop on top ofIEventDispatchStorewhile its adapter surface aggregates latest outcome and retry/runtime totals for operator views and its pack-specific diagnostics convention first exposed stable4300-4303loop event ids through/engine/diagnosticsbefore later follow-through extended that rangeENG-051is now in progress locally:Cephalon.Identitynow exists as the first host-agnostic identity companion pack with config-drivenIdentityRuntimeOptions, declarativeIdentityPolicyMetadataKeys, a default metadata-drivenIAuthorizationEvaluator, a truthfulidentity-authorizationtechnology surface underidentity-access, and stable4400-4401diagnostics-catalog entries for allow/deny outcomes, andCephalon.Identity.AspNetCorenow exists as the follow-through host adapter with config-drivenEngine:Identity:AspNetCoreoptions plus a REST-onlyRequireCephalonAuthorization(...)helper that mapsClaimsPrincipal, route values, and request metadata into the shared Cephalon authorization contracts without polluting the coreENG-051follow-through now also honors ASP.NET Core challenge/forbid behavior when the host or endpoint metadata already declares authentication schemes, including the low-ceremonyWithCephalonAuthenticationSchemes(...)endpoint helper, which keeps scheme ownership with the consumer host while letting Cephalon return ecosystem-native401and403outcomes instead of always forcing problem-details fallbacksENG-051follow-through now also respectsAllowAnonymousendpoint metadata inside protected route groups so consumer apps can keep standard ASP.NET Core public-route semantics without forking Cephalon authorization wiring for the rest of the groupENG-051follow-through now also has direct request-factory coverage for custom claim-type mapping, subject-id fallback behavior, and optional claim/route/query/header projection flags so the low-ceremony ASP.NET Core adapter keeps its config-driven authorization-request shaping truthful beyond the happy-path hosting testsENG-051follow-through now also honorsEnableDefaultEvaluatorandEnableRuntimeSurfacetruthfully, so the host-agnostic pack can opt out of the built-in evaluator without turning protected endpoints into missing-service failures and can suppress theidentity-authorizationruntime surface entirely when a consumer wants that pack-level telemetry quietENG-051follow-through now also covers controller/action boundaries through a public[RequireCephalonAuthorization]attribute and projects anidentity-aspnetcoreruntime surface so/engine/technology-surfacescan report how many ASP.NET Core endpoints are protected, which Cephalon policy ids are active, and whereAllowAnonymousoverrides still exist across minimal APIs and MVC-style controllersENG-051follow-through now also bridges authenticated ASP.NET Core principal data into the ambient audit actor contract whenCephalon.Auditis active and the host has not registered a custom accessor, which keeps the low-ceremony actor path in the host adapter instead of leaking ASP.NET Core concerns into the host-agnostic audit packENG-052is now in progress locally:Cephalon.MultiTenancynow exists as the first host-agnostic tenancy companion pack with config-drivenMultiTenancyRuntimeOptions,AddMultiTenancy(...), a built-in configuration-drivenITenantResolver, an ambientITenantContextAccessor, a truthfultenant-resolutionsurface undermulti-tenancy, stable4500-4502diagnostics-catalog entries, and explicit miss semantics that keep tenant-id, tenant-key, and host-name mismatches from silently defaulting into another tenant while still allowing hosts to disable the built-in resolver cleanlyENG-052is also now proving the narrow audit slice locally:Cephalon.Auditexists as the first host-agnostic audit companion pack withAddAudit(...),AuditRuntimeOptions,AuditMetadataKeys, ambient actor access, a default recorder, stable4600-4601diagnostics-catalog entries, and a dedicatedIAuditStoreCatalogsurfaced through/engine/audit-storesand/engine/snapshotENG-052follow-through now also honorsAuditRuntimeOptions.EnableInMemoryWriter/Engine:Audit:EnableInMemoryWriterend to end across service-collection, ASP.NET Core, and Worker host paths, and the runtime audit-store catalog now stays aligned with that choice instead of pretending the memory-backed store is active when it is notENG-052follow-through now also preserves additive consumer audit-store contributions whenAddAudit()is active, so/engine/audit-storesand/engine/snapshotkeep showing custom/runtime-provided stores even when the built-inaudit-defaultstore is disabled or absentENG-052follow-through now also keeps audit actor resolution low ceremony in ASP.NET Core hosts by consuming the authenticated principal through the identity adapter when available, while runtime surfaces still answer truthfully whether that bridge is active, merely available, or absent and custom audit actor accessors remain authoritativeENG-053is now in progress locally:Cephalon.ScaffoldingandCephalon.Clinow emit canonical phase-8 ids plus structuredEngine:Data,Engine:Identity,Engine:Tenancy,Engine:Audit, andEngine:Messagingsections, generated hosts now centralize the common low-ceremony phase-8 pack wiring, generated tests now start with architecture smoke checks plus per-feature behavior specifications,Cephalon.TemplatePackstarter apps now carry a narrowSfidplusAuditbaseline with the same canonical config shape, and starter sample hosts now mirror that same baseline with hosting coverage that locks their/engine/app-modelanswersENG-055is now in progress locally:scripts/validate-phase8-conventions.ps1now gives phase 8 a named validation replay across settings/profile truth, runtime catalogs and surfaces, relational data plusSfid, eventing plus Wolverine, identity/tenancy/audit, ASP.NET Core adapter follow-through, starter generation, package-surface truth, reference-doc generation, and adoption-doc alignment,scripts/validate-release.ps1now runs that focused suite by default,Cephalon.Benchmarksnow carries explicit phase-8 composition, runtime-lifecycle, and scaffolding baselines with refreshed guardrail thresholds from the current BenchmarkDotNet output, and the repo-native release-validation path is green again after compatibility-truth and discovery-scope fixes in the reference-module and test harness assets- phase-8 messaging direction is now explicit:
Cephalon.Eventing.Wolverineis the first shipped optional companion proof,MassTransitis the tracked-later adapter candidate after the engine-owned contract and that proof are validated strongly enough, andMediatR,LiteBus,NServiceBus, andSlimMessageBusremain consumer-owned coexistence choices unless a later bridge or adapter package is deliberately shipped
Milestone outline:
M1 Taxonomy and contracts: freeze blueprint vs pattern vs technology vs companion-pack semantics; add structuredEngine:Data,Engine:Identity,Engine:Tenancy,Engine:Audit, andEngine:Messagingsections; add host-agnostic contracts and runtime surfacesM2 Data and messaging foundation: ship a relational-first golden path throughCephalon.Data,Cephalon.Data.EntityFramework, CQRS read/write split, projections, outbox, event runtime follow-through, optional Wolverine integration, andCephalon.Ids.SfidM2should use the officialSfid.NetandSfid.EntityFrameworkpackages for the id baseline instead of inventing a custom Cephalon-specific Snowflake implementationM3 Identity, tenancy, and audit baseline: ship optionalRBAC,ABAC, and policy-based authorization, multi-tenant runtime contracts plus tenant-aware audit/history surfaces, and keep ASP.NET Core-specific wiring in host adaptersM4 CLI, scaffolding, templates, and samples: alignCephalon.Cli,Cephalon.Scaffolding,Cephalon.TemplatePack, and adoption-quality samples with the same phase-8 config and package contractM5 Provider-family and hybrid-runtime follow-through: expand beyond the relational-first baseline into explicit non-relational provider families plus additiveHybridCloudRuntime,ServiceMeshIntegration, andServerlessHostingfollow-through only after the core contract is proven
Planned workstreams:
WS1 Engine core: taxonomy, structured settings, host-agnostic contracts, validation, runtime surfaces, and XML-commented public descriptorsWS2 Companion packs: data, eventing, identity, multi-tenancy, audit, Sfid, and optional third-party adapters that stay config-driven and observability-awareWS3 CLI and scaffolding: generation, package hints, template defaults, and golden-path samples that mirror the same runtime semanticsValidation lane: cross-cutting review of benchmarks, test coverage, XML comments, runtime introspection, docs/reference-doc alignment, and over-claim risk before milestone closeout
Deliverables:
- a canonical mapping for
Hexagonal,Layered,CleanArchitecture,DDD,CQRS,Outbox, andEventSourcingas patterns instead of new blueprints - a canonical mapping for
IdentityAccess,MultiTenancy,HybridCloudRuntime,ServiceMeshIntegration, andServerlessHostingas additive technologies instead of engine-core rewrites - host-agnostic contracts for commands, queries, read/write stores, projections, outbox/inbox, authorization subjects/resources/policies, tenant context/resolution, audit entries, and id generation
- a relational-first, Entity Framework-centered baseline that proves CQRS read/write split, projections, outbox handoff, and
Sfidids before broader provider expansion - event-driven runtime follow-through that upgrades the shipped event-channel surface into truthful declared-subscription plus staged-publishing, then fuller publisher/subscriber/runtime-answer semantics without breaking the current technology-pack split
- optional identity/authorization, multi-tenancy, and audit companion packages that a consumer can turn on, turn off, or override through configuration
- CLI/scaffolding/template/sample alignment with the same config sections, package hints, and scaffold plans
- observability, diagnostics, and runtime-snapshot follow-through for every active phase-8 pack
- benchmark, validation, docs, and reference-doc follow-through that keeps the shipped capability claims truthful as phase-8 packages land
- a lower-ceremony consumer experience where common infrastructure, architecture, and runtime choices move into config, companion packs, and scaffold conventions instead of repeated host/bootstrap code
Exit criteria:
- a consumer app can keep one Cephalon codebase and change supported architecture, data, security, and runtime choices through configuration plus companion-pack selection rather than a host rewrite
Cephalon.Abstractionsstays host-agnostic and public contracts remain XML-commented enough for supported reference-doc publishing- the first golden path works end to end for relational Entity Framework plus CQRS plus outbox plus event-driven integration plus configurable identity/authorization plus multi-tenancy plus audit plus
Sfid - CLI generation, scaffold output, templates, samples, and runtime introspection tell the same story for the phase-8 baseline
- benchmark guardrails, docs, and public XML comments stay aligned with each shipped phase-8 contract instead of lagging implementation
- non-relational provider breadth plus hybrid-cloud, service-mesh, and serverless follow-through remain explicit later slices until the golden path proves the contract
- consumer apps can keep framework ceremony low by declaring architecture/runtime choices once through configuration and package selection while concentrating hand-written code on business logic, domain rules, and use-case behavior
Current planning note as of April 8, 2026:
ENG-046,ENG-047, andENG-048should freeze the phase-8 taxonomy, settings, and contracts before workstream-specific implementation names driftENG-049andENG-050are now actively proving the relational-first data and eventing baseline before broader provider expansion; the next truth gate is moving from application-managed publication/subscription reporting into a truthful optional companion execution path without over-claiming pack-owned dispatch behavior or turning one adapter into an engine requirementENG-051andENG-052should layer identity/authorization plus multi-tenancy/audit on top of the frozen data/messaging contractENG-051is now proving the host-agnostic evaluator/runtime-surface baseline plus the first ASP.NET Core adapter slice, and the next follow-through should deepen scheme/challenge alignment plus broader host-integration coverage without polluting the coreENG-052is now proving the configuration-driven tenant-resolution/runtime-surface baseline plus the first narrowCephalon.Auditrecording slice, and the next follow-through should deepen audit storage and adapter options instead of overloading the tenancy pack with membership, domain-onboarding, or data-isolation claims too earlyENG-053is now proving the TDD/BDD-friendly starter-test convention on top of the frozen ids/config/package baseline, and the next follow-through should focus on any remaining sample/template docs parity plus starter polish instead of re-deciding the starter semanticsENG-055is now establishing the named validation replay, refreshed benchmark guardrails, and docs/runtime-truth guard for the shipped phase-8 baseline, whileENG-056should continue the broader docs, XML-comment, and reference-doc closeout before phase 8 claims broad readinessENG-056is now done locally: the checked-indocs/reference/bundle has been regenerated for the current phase-8 assembly set, the tooling test lane now guards bundle drift by comparing the checked-in output against the currentCephalon.ReferenceDocsgenerator after normalizing volatile timestamps, and the top-level adoption docs plus blueprint sample READMEs now describe the shipped phase-8 starter baseline truthfullyENG-054Track 1 (non-relational provider families) is now complete: all 9 provider families (MongoDB, Redis, Neo4j, Cassandra, ClickHouse, Elasticsearch, OpenSearch, Qdrant, NATS) shipped across Sprints 25–31 with 18 companion packages (9 data + 9 event-sourcing), 648/648 tests green; hybrid-runtime, service-mesh, and serverless expansion remainlateruntil explicit adoption casesENG-057event-sourcing follow-through is now complete:Cephalon.EventSourcingcore contracts plus 10 provider implementations (EntityFramework + 9 non-relational) are shipped withIBehaviorContext.EventStorewiring through ENG-058 M6
Phase 9: Adaptive Behavior Topology
Section titled “Phase 9: Adaptive Behavior Topology”Status: done
Goal: introduce a unified application-behavior model that composes domain operations across transports, patterns, and execution strategies without requiring per-transport or per-pattern rewrites.
Delivered:
ENG-058 M1ABT foundation:IAppBehavior,IBehaviorContext,BehaviorDispatcher,BehaviorExecutionSlot,CompatibilityMatrix, 6 compatibility rules (ABT-001 through ABT-006), hosting integration — 499/499 tests (Sprint 20)ENG-058 M2HTTP Transport Pack: 7 HTTP bindings (rest,jsonrpc,graphql,graphql-sse,graphql-ws,sse,ws),LazyTransportBinding— 516/516 tests (Sprint 21)ENG-058 M3Messaging Transport Pack: InMemory, RabbitMQ, Kafka bindings; M2 CTS leak fix — 527/527 tests (Sprint 22)ENG-058 M4Pattern Execution Strategies: 5 strategies (cqrs,event-driven,saga-step,process-manager,direct),ISagaStateStore,IProcessCheckpointStore,FrozenDictionaryregistry,IBehaviorContext.CorrelationId,IProcessCompletion— 575/575 tests (Sprint 23)ENG-058 M5Source Generator:BehaviorSourceGenerator(IIncrementalGenerator+DiagnosticAnalyzer), ABT0010–ABT0013 diagnostics,BehaviorRegistrationHints.g.cs— 584/584 tests (Sprint 24)ENG-058 M6Runtime Integration:BehaviorRuntimeContributor,IBehaviorAdvisorysystem,IBehaviorContext.EventStorewiring,BehaviorDiagnosticsEventId 5100-5109 — 592/592 tests (Sprint 24)ENG-058-T30behavior-aware REST endpoint helper follow-through:MapBehaviorRestGroup(...),BehaviorRestEndpointGroup.MapBehaviorGet/Post/Put/Patch/Delete(...), module-major versioned operation-name defaults, XML-comment-backed OpenAPI enrichment,DefaultBehaviorContextevent-store DI wiring for HTTP execution, and showcase cart route deduplication — composition HTTP tests 13/13 plus showcase hosting tests 33/33 (Sprint 31)ENG-058-T31behavior REST OpenAPI summary/description split follow-through: behavior XML<summary>now maps to the OpenAPI operation summary while XML<remarks>maps to the OpenAPI operation description, avoiding duplicate Scalar text and locking the generated cart endpoint contract through showcase hosting coverage — composition HTTP tests 13/13 plus showcase hosting tests 34/34 (Sprint 31)ENG-058-T32behavior REST OpenAPI document-version follow-through:BehaviorRestEndpointGroup.ApiVersion(...)now assigns behavior-shaped REST endpoints to named OpenAPI documents, operation-name versioning now falls back to the module major only when no explicit API version is supplied,OpenApi:Documentsplus optionalOpenApi:DefaultDocumentnow drive ASP.NET Core OpenAPI/Scalar document registration, showcase cart routing now opts intov1, and hosting coverage now locks/openapi/v2.jsonplus/scalar/v2behavior — composition HTTP tests 14/14 plus hosting tests 235/235 (Sprint 31)ENG-058-T33behavior REST OpenAPI versioned-config canonicalization:OpenApi:EnabledVersionsplusOpenApi:DefaultVersionis now the canonical host config for versioned API documents, legacyOpenApi:DocumentsandOpenApi:DefaultDocumentremain available for backward compatibility or custom named docs, the globalOpenApi:Versioninfo override now only applies to single-document hosts so multi-document metadata stays truthful, and the showcase sample plus authoring docs now demonstrate the numeric version contract — composition HTTP tests 14/14 plus hosting tests 235/235 (Sprint 31)ENG-058-T34Scalar multi-document doc-link follow-through:/scalarnow redirects to the configured default versioned document while/scalar/v1,/scalar/v2, and similar paths remain available as pinned doc links; hosting coverage and authoring docs now lock that behavior — composition HTTP tests 14/14 plus targeted hosting tests 2/2 (Sprint 31)ENG-058-T35canonical REST/doc version alignment:.ApiVersion(major)now prefixes behavior-owned REST routes with/v{major}so host-mounted/apisurfaces line up with the selected OpenAPI document, the showcase sample now exposes versioned REST routes under/api/v1/..., Scalar document selection rewrites back to canonical/scalar/v1and/scalar/v2links, and hosting/composition coverage locks the aligned contract — composition HTTP tests 14/14 plus targeted hosting tests 3/3 plus showcase hosting tests 34/34 (Sprint 31)ENG-058-T36configurable docs-route surfaces and module-major REST defaults:OpenApi:RoutePatternnow controls the OpenAPI JSON route,OpenApi:Scalar:RoutePrefixnow controls the Scalar UI base path,ApiRoutes:Prefixes:Restnow controls the built-in REST host prefix, andMapBehaviorRestGroup(...)now defaults its document/route version from the owning module descriptor major version while keeping.ApiVersion(...)as an explicit override. That round established the version-aligned REST/OpenAPI/Scalar contract before the broader transport-prefix unification landed — composition HTTP tests 14/14 plus hosting tests 4/4 plus showcase hosting tests 34/34 (Sprint 31)ENG-058-T37sharedBehaviorApiSurfacecanonical routing for generic behavior HTTP bindings:BehaviorTopologyDescriptornow carries a transport-agnosticApiSurface,BehaviorApiSurfaceDescriptor.CreateDefault(...)derives group/operation paths from the behavior id,WithApiSurface(...)plus the source generator keep fluent and compile-time topology aligned, and the JSON-RPC, GraphQL, GraphQL-SSE, GraphQL-WS, SSE, and WebSocket bindings now project canonical versioned routes from that shared surface. The earlier/behaviors/{id}compatibility aliases introduced in that round were later removed byENG-058-T39so the canonical versioned routes remain the only generic behavior HTTP surface — behavior API-surface tests 4/4 plus composition HTTP tests 14/14 (Sprint 31)ENG-058-T38canonicalApiRoutes:Prefixesdefaults across built-in and generic HTTP transport surfaces: the canonical host config now defaults toRest=/api,GraphQL=/graphql,JsonRpc=/json-rpc,Grpc=/grpc,Ws=/ws,Sse=/sse,GraphQLWs=/graphql-ws, andGraphQLSse=/graphql-sse; built-in transport mappers now read the same prefix contract as the generic behavior bindings; the showcase sample now consumes route prefixes from generated client config instead of hard-coded transport paths; and hosting/composition coverage now locks both default and override behavior — behavior API-surface + HTTP binding tests 22/22 plus targeted hosting tests 3/3 plus showcase hosting tests 34/34 (Sprint 31)ENG-058-T39remove generic/behaviors/{id}aliases from the behavior HTTP surface: canonical versioned routes are now the only generated behavior HTTP endpoints;BehaviorApiSurfaceRouteResolverno longer appends behavior-id compatibility aliases; the retired behavior-specific prefix/config aliases have been removed so the generic bindings read the same canonicalApiRoutes:Prefixes:*contract as the built-in host mappers; and XML comments, component docs, authoring guidance, and HTTP binding coverage now treat the canonical versioned routes as the single public contract — composition HTTP tests 24/24 (Sprint 31)ENG-058-T40public REST documentation separation plus tag-metadata follow-through: module-owned REST endpoints now own the published REST OpenAPI + Scalar surface,MapBehaviorRestGroup(...)can override tag names and descriptions explicitly, module XML<summary>plus<remarks>can now flow into top-level OpenAPI tag descriptions, and hosting/tooling coverage locks the public REST-vs-generic-adapter distinction — targeted hosting tests 3/3 plus package-surface tests 51/51 (Sprint 31)ENG-058-T41module-owned REST cleanup and removal of behavior-declared REST:http.restis no longer a valid behavior allowlist or topology transport,ViaHttpRest(...)and the generic REST binding/config surface were removed,Engine:Behaviorsnow stays focused on auto-registration instead of per-behavior REST overrides,ApiRoutes:Prefixes:Rest = ""still mounts versioned module-owned REST routes at the root whilenullstill falls back to/api, and docs/sourcegen/reference output now treatMapEndpoints(...)plusMapBehaviorRestGroup(...)as the only REST authoring path — behavior baseline + behavior source-generator + hosting + tooling coverage (Sprint 31)ENG-058-T42attribute-only behavior baseline synthesis plus transport alias normalization: the runtime now synthesizes topology from[BehaviorAllowedPatterns]plus[BehaviorAllowedTransports]when exactly one pattern is declared and no explicit topology exists, ambiguous multi-pattern declarations fail fast with a clearer authoring error,http.grpcis accepted as an allowlist alias for canonicalgrpc, and composition/component-doc coverage now lock the attribute-only registration behavior for non-REST transports (Sprint 31)ENG-058-T43module-owned behavior authoring base classes and ownership validation:IBehaviorModuleBuilder,IBehaviorOwnerModule, andOwnedBehaviorRegistrationnow make explicit module-owned behaviors a first-class engine contract,BehaviorModuleBaseandRestBehaviorModuleBasenow give authors a cleaner module API than implementing multiple interfaces directly, engine composition now validates duplicate ownership and preserves owned topology when auto-registration is enabled, REST helper mapping now rejects another module’s owned behavior, and docs/reference output now publish the new ownership-first authoring path — behavior baseline tests 47/47 plus hosting tests 3/3 plus tooling tests 72/72 (Sprint 31)ENG-058-T43explicit module-owned behavior authoring model:IBehaviorOwnerModule,IBehaviorModuleBuilder, andOwnedBehaviorRegistrationnow make module-owned behavior registration explicit;BehaviorModuleBaseandRestBehaviorModuleBasenow give developers a low-ceremony authoring path for process-only and REST-exposed behavior modules; engine composition now validates duplicate ownership across modules; and behavior-backed REST mapping now rejects modules that try to expose behaviors owned by another module — behavior baseline tests 46/46 plus REST OpenAPI hosting tests 3/3 plus package-surface tests 51/51 (Sprint 31)ENG-058-T43module-owned behavior authoring baseline:IBehaviorOwnerModule,IBehaviorModuleBuilder, andOwnedBehaviorRegistrationnow make module-owned behavior declarations explicit,BehaviorModuleBaseandRestBehaviorModuleBasegive authors a higher-level authoring path, engine build now rejects duplicate owners, and REST helper mapping now rejects cross-module behavior exposure when ownership is explicit (Sprint 31)ENG-058-T44single-surface REST behavior-module DSL and opt-in auto-registration fallback:RestBehaviorModuleBasenow centers authoring onConfigureRestBehaviors(IRestBehaviorModuleBuilder behaviors)so public REST routes and internal-only behavior ownership can live in one module method,IRestBehaviorModuleBuilderplusIRestBehaviorEndpointGroupBuildernow makeGroup(...).MapGet/MapPost/...imply ownership automatically whileInternal<TBehavior>()covers internal-only or custom/manual-route behaviors,MapAdditionalEndpoints(...)remains the advanced escape hatch for raw Minimal API work,Engine:Behaviors:AutoRegisternow defaults tofalseso module ownership is the primary path and assembly scanning is an opt-in fallback, and showcase/reference-doc/component coverage now all align with that authoring model — behavior owner + baseline tests 48/48 plus REST OpenAPI + showcase hosting tests 37/37 plus package-surface tests 51/51 (Sprint 31)ENG-058-T46transport-neutral behavior results plus optional REST result envelopes:Cephalon.Abstractionsnow shipsBehaviorResult<T>,IBehaviorResult,BehaviorResultStatus, andBehaviorFaultSeverityso behaviors can return structured expected outcomes without forcing HTTP envelopes into the core contract, explicit module-owned behaviors now fall back todirecttopology when no extra topology metadata is supplied, ASP.NET Core now exposesResultModel<T>,ResultModelError, andResultModelErrorDetailas the optional REST wire envelope behindApiRoutes:ResultEnvelope:Enabled, REST failures now use anerrorscollection so validation and other multi-reason outcomes can return more than one structured item, module-owned REST can wrap both rawTOutandBehaviorResult<T>results without forcing transport-specific envelopes back into the behavior contract, and module-owned REST OpenAPI now publishes wrapped success schemas without duplicating error properties on2xxresponses — behavior result + baseline tests 61/61 plus REST OpenAPI hosting tests 2/2 plus package-surface tests 51/51 (Sprint 31)ENG-058-T47plural REST error envelopes and multi-fault projection follow-through: the optional RESTResultModelErrorcontract now uses anerrorscollection instead of a singularerrorobject,BehaviorRestResponseMappernow projectsBehaviorFault.InnerFaultsinto multiple structured REST errors for validation and other multi-reason failures,ResultModelDocumentTransformernow treatserrorsas the canonical REST envelope property without carrying a legacy singular fallback, and hand-authored docs plus REST OpenAPI hosting coverage now lock the plural wire contract — REST OpenAPI hosting tests 5/5 plus package-surface tests 51/51 (Sprint 31)ENG-058-T48showcaseAddToCartBehaviorauthoring example forBehaviorResult<T>: the cart sample now demonstrates transport-neutral expected outcomes directly inAddToCartBehavior, including multi-fault validation throughBehaviorFault.InnerFaults, a conflict result when the cart is already checked out, showcase-host overrides that opt into the REST result envelope for focused tests, and module-authoring/component docs that now point to the cart sample as the concrete reference forBehaviorResult<T>plus RESTerrorsprojection — showcase hosting tests 36/36 (Sprint 31)ENG-058-T49concise no-payloadBehaviorResultfactories:BehaviorResultDescriptorplus implicit conversion intoBehaviorResult<T>now let common async-return branches useBehaviorResult.Invalid(...),BehaviorResult.NotFound(...),BehaviorResult.Conflict(...),BehaviorResult.Forbidden(...),BehaviorResult.Unauthorized(...), andBehaviorResult.NoContent(...)without restating the payload type; sample/component docs now demonstrate the shorter authoring path, and the authoring guidance now spells out the one remainingTask.FromResult<BehaviorResult<TOut>>(...)inference edge case explicitly — behavior result tests 3/3 plus package-surface tests 51/51 plus clean-worktree REST OpenAPI hosting verification (Sprint 31)ENG-058-T51conciseResult<T>/Resultaliases for transport-neutral outcomes:Cephalon.Abstractionsnow prefersResult<T>plusResult.*(...)for new behavior authoring while keepingBehaviorResult<T>/BehaviorResultas compatibility aliases, ASP.NET Core REST/OpenAPI detection now recognizes both result families, and the component/module-authoring docs now point teams to the shorter authoring shape by default while still documenting the legacy alias path (Sprint 31)ENG-058-T50configurable documented REST response statuses plus default500:OpenApi:BehaviorRest:DocumentedStatusCodesnow controls which HTTP status codes Cephalon’s behavior-owned REST helpers publish into OpenAPI + Scalar, the default documented status set now includes500, route-group defaults no longer force400/404when the host narrows the list, and hosting coverage now locks both the default500visibility and a custom filtered status-code list — REST OpenAPI hosting tests 6/6 (Sprint 31)ENG-058-T52Scalar version selector driven by the resolved document contract: the ASP.NET Core host now injects the resolved document-name list plus default document into the bundled Scalar configuration script, multi-version docs render a top-right selector that followsOpenApi:EnabledVersions/OpenApi:DefaultVersion, legacy custom document names still remain supported through the same selector path, and targeted hosting coverage now locks both the injected-script contract and canonical/scalarmulti-version routing behavior — targeted hosting tests 2/2 (Sprint 36)ENG-058-T53host-level published-version allow-list semantics for OpenAPI + Scalar: modules and behaviors still declare candidate document versions through.ApiVersion(...)or module-major defaults, butOpenApi:EnabledVersionsand legacyOpenApi:Documentsnow stay authoritative as the published-document allow-list, disabled defaults no longer expand that set, and targeted hosting coverage now locks the case wherev1,v2, andv3endpoints exist while the host publishes onlyv2plusv3— targeted hosting tests 3/3 (Sprint 36)ENG-058-T54Scalar toolbar-mounted version selector: the injected Scalar selector now mounts into theapi-reference-toolbarheader row instead of floating over the page actions when that toolbar host is available, while preserving the floating fallback for non-standard shells, and targeted hosting coverage now locks the new header-mount script contract so Configure/Share/Deploy stay unobscured — targeted hosting tests 2/2 (Sprint 36)ENG-058-T55REST endpoint authoring strategy and precedence model: the repo now records the long-term REST endpoint authoring recommendation indocs/architecture/rest-endpoint-authoring-strategy.md, keeps explicit module-owned REST as the canonical public path, defines future shorthand as projection-driven metadata instead of direct behavior-owned REST activation, and records the settled design rules in project memory so the next implementation slices can evolve from one stable design baseline (Sprint 36)ENG-058-T56normalized REST behavior projections beneath the module DSL:Cephalon.Behaviors.Httpnow compilesIRestBehaviorModuleBuilderauthoring into an internalRestBehaviorModuleProjectioncontract with normalized route-group and endpoint descriptors, reuses that same compiled projection for both module ownership registration and endpoint materialization throughRestBehaviorProjectionMaterializer, keeps the public REST DSL unchanged, and locks duplicate-behavior-id, explicit-topology, and projection-reuse semantics through targeted REST projection tests 5/5 (Sprint 36)ENG-058-T57resolved public REST endpoint runtime catalog and collision validation:Cephalon.Abstractionsnow exposesIRestEndpointRuntimeCatalog,IRestEndpointRuntimeRegistry, andRestEndpointRuntimeDescriptor;Cephalon.AspNetCorenow publishes/engine/rest-endpoints,/engine/rest-endpoints/{restEndpointId}, andsnapshot.RestEndpoints; the public REST host now fails fast when two resolved endpoints collide on the sameHTTP method + route pattern; and targeted hosting plus package-surface coverage lock the shipped runtime answer — targeted hosting tests 7/7 plus package-surface tests 52/52 (Sprint 36)ENG-058-T58manual module-owned REST runtime-catalog follow-through: the ASP.NET Core host now materializes the public REST runtime catalog from final route endpoints so plainIRestModule/IEndpointModuleroutes andRestBehaviorModuleBase.MapAdditionalEndpoints(...)behavior-helper routes join/engine/rest-endpointsandsnapshot.RestEndpointswithsourceKind = manual, while manual-vs-DSL collisions now fail on the sameHTTP method + route patternbaseline as projection-backed routes — targeted hosting tests 4/4 (Sprint 36)ENG-058-T59generic behavior transport route-version default follow-through: the ASP.NET Core host now keeps the generic JSON-RPC, GraphQL, GraphQL-SSE, GraphQL-WS, SSE, and WebSocket adapter route segment driven byApiRoutes:DefaultBehaviorDocumentNameor the raw configuredOpenApi:DefaultVersioninstead of reusing the published OpenAPI allow-list default, soOpenApi:EnabledVersionsand legacyOpenApi:Documentscontinue to govern only OpenAPI + Scalar publishing while the generic adapter routes remain independently versioned; explicit behavior-route overrides and the allow-list separation are now locked by composition HTTP binding tests 12/12 plus targeted hosting tests 2/2 (Sprint 36)ENG-058-T60ASP.NET Core hosting determinism and version-aware showcase route follow-through: the host now makes/engine/*Minimal API service binding explicit for .NET 10 parameter inference, strips transitive sampleConfigurations/**output from generic test projects, lets the showcase test harness point at the real sample content root, and keeps showcase orders-route assertions aligned with the owning module major version while the showcase transport projection keeps module-owned REST separate from generic behavior transport ids — targeted hosting tests 43/43 plus showcase hosting tests 60/60 (Sprint 36)ENG-058-T61metadata-only REST profile diagnostics and source-generated hints:Cephalon.Behaviors.Httpnow exposesBehaviorRestProfileAttribute,BehaviorRestMethod, andBehaviorRestProfileDescriptoras the metadata-only behavior-authored REST profile contract,Cephalon.Behaviors.SourceGennow validates those profiles throughABT0015throughABT0018and emits source-generatedGetRestProfiles()hints, and the repo guidance now points authors atRestBehaviorModuleBase.ConfigureRestBehaviors(...)while keeping public REST module-owned — source-generator tests 16/16 plus package-surface tests 1/1 (Sprint 36)ENG-058-T62explicit module-owned REST profile shorthand consumption:IRestBehaviorEndpointGroupBuilder.MapProfile<TBehavior>()now lets an owning module consume metadata-only behavior REST profiles through the same normalizedRestBehaviorModuleBaseprojection pipeline, preferring source-generatedGetRestProfiles()hints and falling back only to the explicitly targeted behavior type when generated hints are unavailable; profile metadata still contributes only method, relative pattern, and optional candidate API version while the owning module keeps the public prefix, tags, and published-document choice; conflicting profiled versions in one group now fail fast until the module resolves them explicitly; and/engine/rest-endpointskeepssourceKind = module-dslwhile exposingmetadata.authoringStyle = behavior-module-profilefor the shorthand path — targeted hosting tests 16/16 plus composition tests 5/5 plus package-surface tests 1/1 (Sprint 36)ENG-058-T63explicit REST profile binding descriptors and runtime metadata:Cephalon.Behaviors.Httpnow exposesBehaviorRestBindingAttribute,BehaviorRestBindingDescriptor, andBehaviorRestBindingSource;BehaviorRestProfileDescriptorplus source-generatedGetRestProfiles()hints now preserve explicit route/query/header/body binding plans; module-ownedMapProfile<TBehavior>()now validates those bindings and composes requests in override mode so explicit bindings win while unbound route placeholders and request bodies can still fill remaining object properties deterministically; body conflicts against explicit non-body bindings now fail fast; and/engine/rest-endpointsnow exposes additivemetadata.bindingDescriptorsfor profile-driven module-owned REST endpoints — source-generator tests 17/17 plus targeted hosting tests 23/23 plus package-surface tests 1/1 (Sprint 36)ENG-058-T64compile-time REST binding diagnostics and route-placeholder validation:Cephalon.Behaviors.SourceGennow rejects invalidBehaviorRestBindingAttributemetadata throughABT0019throughABT0025, including unsupported binding sources, missing or duplicate input-property targets, scalar-input misuse, body bindings on non-body verbs, and route bindings that do not match placeholders declared inBehaviorRestProfileAttribute.RelativePattern; generatedGetRestProfiles()output now resolves enum member names directly instead of depending on hard-coded numeric ordinals; andBehaviorRestProfileResolvernow re-checks route-placeholder truth soMapProfile<TBehavior>()stays fail-fast even when runtime falls back to direct attribute metadata — source-generator tests 26/26 plus targeted hosting tests 26/26 plus package-surface tests 1/1 (Sprint 36)ENG-058-T65typed REST endpoint runtime binding descriptors:Cephalon.Abstractionsnow exposesRestEndpointBindingDescriptorandRestEndpointBindingSourceas the transport-owned runtime contract,RestEndpointRuntimeDescriptorplussnapshot.RestEndpointsnow publish explicit profile-driven binding plans through the first-classBindingDescriptorsproperty,Cephalon.Behaviors.Httpnow adapts behavior-authored binding metadata into that transport contract during module-owned REST materialization, andCephalon.AspNetCoreno longer duplicates the same plan intometadata.bindingDescriptors— targeted hosting tests 10/10 plus package-surface tests 1/1 (Sprint 36)ENG-058-T66REST projection precedence and suppression visibility:Cephalon.Abstractionsnow exposes the REST endpoint candidate runtime contract,Cephalon.AspNetCorenow publishes/engine/rest-endpoint-candidatesplussnapshot.RestEndpointCandidates, andCephalon.Behaviors.Httpnow resolves precedence across normalized module-owned REST projections so explicit module DSL mappings suppress lower-precedenceMapProfile<TBehavior>()candidates for the same behavior by default while keeping published-versus-suppressed truth, winning candidate ids, and suppression reasons operator-visible — targeted hosting tests 28/28 plus package-surface tests 1/1 (Sprint 36)ENG-058-T67low-code generated module-owned REST projections:IRestBehaviorEndpointGroupBuilder.MapGeneratedProfiles()plusMapGeneratedProfiles(string behaviorIdPrefix)now let an owning module publish every matching profiled behavior beneath one owned route group without restating each behavior individually,Cephalon.Behaviors.SourceGennow emitsGetRestProfileBehaviorTypes()alongsideGetRestProfiles()so the generated path can stay sourcegen-first,BehaviorRestProfileResolvernow falls back only to a bounded scan of the explicit owning module assembly when generated type hints are unavailable, and the normalized candidate pipeline now keeps the effective behavior-projection precedence truthful asexplicit module DSL > MapProfile<TBehavior>() > MapGeneratedProfiles(...)while publishing generated shorthand asmetadata.authoringStyle = behavior-module-generated— source-generator tests 26/26 plus targeted hosting tests 33/33 plus package-surface tests 2/2 (Sprint 36)ENG-058-T68REST endpoint governance and controlled config suppression:Cephalon.Abstractionsnow exposesIRestEndpointSuppressionRuntimeCatalogplusRestEndpointSuppressionDescriptor,RestEndpointCandidateRuntimeDescriptornow distinguishes config-governed suppression throughSuppressedBySuppressionId,Cephalon.AspNetCorenow bindsRestApi:Suppressionsand publishes/engine/rest-endpoint-suppressionsplussnapshot.RestEndpointSuppressions, shorthand-suppression rules now fail fast when bothBehaviorsandModulesare missing, andCephalon.Behaviors.Httpnow resolves overlapping matching rules deterministically before applying suppression ahead of precedence resolution so hosts can suppressMapProfile<TBehavior>()orMapGeneratedProfiles(...)candidates without rewriting route shape or overriding explicit module DSL/manual routes — targeted hosting tests 40/40 plus package-surface tests 2/2 (Sprint 36)ENG-058-T69constrained shorthand API-version override governance:Cephalon.Abstractionsnow exposesIRestEndpointOverrideRuntimeCatalogplusRestEndpointOverrideDescriptor,RestEndpointCandidateRuntimeDescriptornow distinguishes config-governed shorthand version rewrites throughAppliedOverrideId,Cephalon.AspNetCorenow bindsRestApi:Overridesand publishes/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides, shorthand-override rules now fail fast when bothBehaviorsandModulesare missing or whenApiVersionMajoris missing/non-positive, andCephalon.Behaviors.Httpnow resolves overlapping matching rules deterministically before retargeting descriptor-backed shorthand candidates to another effective API major version without overriding explicit module DSL/manual routes or shorthand groups that already declare.ApiVersion(...)explicitly — targeted hosting tests 49/49 plus package-surface tests 2/2 (Sprint 36)ENG-058-T70constrained shorthand REST method override governance:RestEndpointOverrideDescriptorplusRestApi:Overridesnow also support a shorthand HTTPMethodaction, shorthand-override rules now fail fast when they omit all override actions or declare an unsupported method, andCephalon.Behaviors.Httpnow resolves matching shorthand overrides into an effective projection that ASP.NET Core materializes directly so mapped endpoints,/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesall agree on the same method-shaped runtime truth; explicit module DSL/manual routes remain authoritative, and shorthand groups with explicit.ApiVersion(...)still win for version while method overrides can still apply — REST projection/hosting tests 54/54 plus package-surface tests 2/2 (Sprint 36)ENG-058-T71constrained shorthand REST pattern override governance:RestEndpointOverrideDescriptorplusRestApi:Overridesnow also support a shorthand relative-routePatternaction, shorthand-override rules now fail fast when they omit all override actions or declare an invalid route pattern, andCephalon.Behaviors.Httpnow resolves matching shorthand overrides into an effective projection that ASP.NET Core materializes directly so mapped endpoints,/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesall agree on the same pattern-shaped runtime truth; the current route-pattern slice allows only placeholder-preserving rewrites, so overrides can change static segments and reorder existing placeholders but fail fast when they add, remove, or rename placeholders; explicit module DSL/manual routes remain authoritative, and shorthand groups with explicit.ApiVersion(...)still win for version while pattern overrides can still apply — REST projection/hosting tests 61/61 plus package-surface tests 2/2 (Sprint 36)ENG-058-T72constrained shorthand REST binding override governance:RestEndpointOverrideDescriptorplusRestApi:Overridesnow also support explicitBindingsactions for descriptor-backed shorthand candidates, andCephalon.Behaviors.Httpnow resolves those rules into one effective binding plan that ASP.NET Core materializes and revalidates so/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesstay aligned to the same binding-shaped runtime truth; binding overrides replace the shorthand candidate’s explicit binding plan while still letting unbound route placeholders and remaining request-body fields fill object properties deterministically, invalid effective plans such as body bindings onGETfail fast, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 65/65 (Sprint 36)ENG-058-T73constrained shorthand REST placeholder rename governance:Cephalon.Behaviors.Httpnow letsRestApi:Overridesrename shorthand route placeholders when the effective explicit route-binding plan covers the renamed placeholder set exactly, so ASP.NET Core can materialize/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesfrom one route-plus-binding truth without reopening inference drift; placeholder renames still fail fast when the effective route plan relies on inference instead of explicit route coverage, placeholder additions or removals remain later work, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 68/68 (Sprint 36)ENG-058-T74constrained shorthand REST placeholder removal governance:Cephalon.Behaviors.Httpnow letsRestApi:Overridesremove shorthand route placeholders when the original projection already exposes an explicit route-binding plan that covers the original placeholder set and the effective explicit binding plan keeps every affected originally route-bound property explicitly bound, so ASP.NET Core can materialize/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesfrom one route-plus-binding truth even when a route-bound value moves to query, header, or body; removal attempts still fail fast when the original route shape relied on inference or when affected properties lose explicit binding coverage, placeholder additions remain later work, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 73/73 (Sprint 36)ENG-058-T75constrained shorthand REST placeholder addition governance:Cephalon.Behaviors.Httpnow letsRestApi:Overridesadd shorthand route placeholders when the effective explicit route-binding plan covers the full final placeholder set and every newly route-bound property was already explicitly bound in the original projection, so ASP.NET Core can materialize/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesfrom one route-plus-binding truth even when a value moves from query, header, or body into the route; addition attempts still fail fast when final route coverage is incomplete or when the override tries to promote an implicitly bound property into the public route, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 78/78 (Sprint 36)ENG-058-T76constrained shorthand REST implicit body-fallback route promotion:Cephalon.Behaviors.Httpnow letsRestApi:Overridesadd shorthand route placeholders when the effective explicit route-binding plan covers the full final placeholder set and every newly route-bound property was either already explicitly bound in the original projection or, forPOST/PUT/PATCH, already part of the original deterministic remaining-body fallback surface, so ASP.NET Core can keep/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverridesaligned to one route-plus-binding truth even when a value moves from implicit body fallback into the route; promotion attempts still fail fast when final route coverage is incomplete, when the source projection did not accept body input, or when the override would promote any other implicit property into the public route, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 82/82 (Sprint 36)ENG-058-T77shorthand REST governance selector expansion:RestApi:SuppressionsandRestApi:Overridescan now refine descriptor-backedMapProfile<TBehavior>()andMapGeneratedProfiles(...)candidates withApiVersionMajors,Methods,RelativePatterns, andRouteGroupPrefixes; those selectors match the original shorthand candidate shape before override actions are applied so hosts can govern one of several shorthand candidates that share the same behavior/module identity without losing runtime truth, specificity now also considers the expanded selector dimensions and narrower selector sets, the runtime suppression/override catalogs now expose the selector arrays directly, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 91/91 plus package-surface tests 53/53 (Sprint 36)ENG-058-T78shorthand REST original-projection runtime visibility:Cephalon.Abstractionsnow exposesRestEndpointCandidateProjectionDescriptorplusRestEndpointCandidateRuntimeDescriptor.OriginalProjectionso operator tooling can compare original shorthand route, method, version, route-group prefix, relative pattern, and binding-plan truth against the final effectiveProjectedEndpoint;Cephalon.Behaviors.Httpnow publishes that typed original projection before host overrides are applied while keepingProjectedEndpointas the final mapped answer; and/engine/rest-endpoint-candidatesplussnapshot.RestEndpointCandidatesnow serialize both surfaces without hiding override-driven rewrites — REST projection/hosting tests 91/91 plus package-surface tests 53/53 (Sprint 36)ENG-058-T79merge-mode shorthand REST binding overrides:Cephalon.Abstractionsnow exposesRestEndpointOverrideBindingMode,RestEndpointOverrideDescriptorplusRestEndpointOverrideOptionsnow surface the typed binding-mode contract,Cephalon.AspNetCorenow bindsRestApi:Overrides:*:BindingMode, andCephalon.Behaviors.Httpnow supportsmerge-explicitproperty-by-property binding patches in addition to the default full-planreplace-explicitbehavior so hosts can retarget shorthand bindings without restating every untouched explicit descriptor; runtime override catalogs and snapshots now keep that merge-versus-replace governance truth visible,merge-explicitwithoutBindingsnow fails fast, and explicit module DSL/manual routes remain authoritative — REST projection/hosting tests 96/96 plus package-surface tests 53/53 (Sprint 36)ENG-058-T80grouped REST publication visibility catalog:Cephalon.Abstractionsnow exposesIRestEndpointPublicationGroupRuntimeCatalogplusRestEndpointPublicationGroupDescriptor,Cephalon.AspNetCorenow publishes/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, andsnapshot.RestEndpointPublicationGroups, and the host now groups the existing candidate-level truth per behavior so operators can inspect published candidates, precedence-suppressed candidates, governance-suppressed candidates, the winning precedence rank when one exists, and the ordered candidate set without manually joining several runtime surfaces — REST projection/hosting tests 41/41 plus package-surface tests 53/53 (Sprint 36)ENG-058-T81low-code inline module-owned REST authoring:Cephalon.Behaviors.Httpnow exposesRestBehaviorEngineBuilderExtensions.AddRestBehaviorModule<TMarker>()so hosts can register a real behavior-backed REST module without authoring a dedicatedRestBehaviorModuleBasesubclass; the helper still drives the same normalized projection/materialization/candidate/publication-group/governance pipeline as the class-based DSL, usesTMarkeras the generated-profile source-assembly marker and as the reusable helper’s distinct module-type identity, keeps[AppBehavior]alone from publishing public REST, and now proves bothMapProfile<TBehavior>()andMapGeneratedProfiles(...)through the inline path in hosting coverage — REST runtime/hosting tests 43/43 plus package-surface tests 54/54 (Sprint 36)ENG-058-T82bounded shorthand REST route-group-prefix overrides:Cephalon.Abstractionsnow extends the shorthand override contract withRouteGroupPrefix,Cephalon.AspNetCorenow binds that action fromRestApi:Overridesand keeps it visible through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides,Cephalon.Behaviors.Httpnow validates that published group-prefix rewrites stay beneath the active REST root, contain no placeholders, and do not silently change effective API-version truth, and the ASP.NET Core materializer now splits effective shorthand route groups when only some candidates in one authored group are remapped so actual HTTP routes stay aligned with/engine/rest-endpoint-candidates,/engine/rest-endpoints, and the runtime snapshot — REST projection/hosting tests 111/111 (Sprint 36)ENG-058-T83merge-mode shorthand REST binding withdrawals:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorwithRemovedBindingProperties,Cephalon.AspNetCorenow bindsRestApi:Overrides:*:RemovedBindingPropertiesand keeps the removed-property list visible through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides, andCephalon.Behaviors.Httpnow letsBindingMode = merge-explicitwithdraw selected original explicit bindings without restating untouched descriptors so shorthand candidates can fall back to the remaining deterministic route/body contract without drifting away from/engine/rest-endpoint-candidates,/engine/rest-endpoints, or the runtime snapshot; removal-only rules now normalize to merge mode automatically,replace-explicitcannot pair with removals, one merge rule cannot both remove and override the same property, removal targets must already exist in the source shorthand explicit binding plan, and the runtime override catalog now keeps both binding mode and removed-property truth visible — REST projection/hosting tests 117/117 plus package-surface tests 54/54 (Sprint 36)ENG-058-T84low-code generated module-path helpers with explicit ownership:Cephalon.Behaviors.Httpnow exposesIRestBehaviorModuleBuilder.GroupFromBehaviorIdPrefix(string)so modules can derive/foo/barfromfoo.barfor generated route groups without repeating both forms manually, andRestBehaviorEngineBuilderExtensions.AddGeneratedRestBehaviorModule<TMarker>()now wraps that same derivation for inline generated modules while still materializing a real module, feeding the same generated-profile projection/materialization/candidate/publication-group/governance pipeline, and failing fast when the behavior-id prefix cannot produce a deterministic route-group prefix — REST runtime/hosting tests 51/51 plus package-surface tests 55/55 (Sprint 36)ENG-058-T85stable shorthand candidate-id governance selectors: shorthand candidate ids now resolve from the original shorthand projection before host-level overrides are applied,RestApi:SuppressionsandRestApi:Overridesnow acceptCandidateIdsso a host can govern one exact shorthand candidate without composing a broader behavior/module rule first, runtime suppression/override catalogs plus the snapshot now surface those configured candidate ids directly, selector specificity now prefers candidate-targeted rules before broader selector matches, andProjectedEndpointcontinues to carry the effective mapped endpoint identity after override rewrites — REST projection tests 72/72 plus REST runtime/hosting tests 53/53 plus package-surface tests 56/56 (Sprint 36)ENG-058-T86shorthand candidate projected endpoint metadata alignment:Cephalon.Behaviors.Httpnow uses one shared operation-name/documentation convention path for both shorthand candidate resolution and final behavior-backed endpoint materialization, soProjectedEndpointin/engine/rest-endpoint-candidatesnow keeps endpoint name plus summary/description metadata aligned with/engine/rest-endpointsforMapProfile<TBehavior>()andMapGeneratedProfiles(...)candidates instead of leaving that operator-facing metadata incomplete until after ASP.NET Core materialization — REST projection tests 73/73 plus REST runtime/hosting tests 53/53 (Sprint 36)ENG-058-T87governance match visibility for shorthand REST candidates:Cephalon.Abstractionsnow extendsRestEndpointCandidateRuntimeDescriptorwith orderedMatchedSuppressionIdsandMatchedOverrideIds,Cephalon.Behaviors.Httpnow preserves the full specificity-ordered suppression/override match trace for shorthandMapProfile<TBehavior>()andMapGeneratedProfiles(...)candidates while leavingSuppressedBySuppressionIdandAppliedOverrideIdas the selected-winner truth, and the runtime snapshot plus/engine/rest-endpoint-candidatesnow keep overlapping governance matches visible without changing the existing specificity or precedence model — GitHub issue#352; REST projection tests 73/73 plus REST runtime/hosting tests 53/53 plus package-surface tests 56/56 (Sprint 36)ENG-058-T88constrained shorthand REST implicit query-fallback route promotion:Cephalon.Behaviors.Httpnow letsRestApi:Overridesadd shorthand route placeholders when the effective explicit route-binding plan covers the full final placeholder set and, for shorthand candidates with no explicit binding plan, every newly route-bound property was already part of the original implicit query-fallback surface, so shorthandGET-style profiles that still use the default query-plus-route merge path can promote selected values into the public route without losing runtime truth across/engine/rest-endpoint-candidates,/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointOverrides; explicit-binding shorthand candidates remain on the stricter explicit-binding path, and promotion still fails fast when final route coverage is incomplete or when the override would promote any other implicit property into the public route — GitHub issue#353; REST projection tests 74/74 plus REST runtime/hosting tests 54/54 (Sprint 36)ENG-058-T89preserve implicit query fallback for partially explicitized shorthand REST overrides:Cephalon.Behaviors.Httpnow preserves the remaining implicit query-fallback surface when a shorthand candidate originally had no explicit binding plan and a host override adds only partial explicit bindings, so reshape-only overrides no longer silently drop untouched query-bound properties;/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotnow keep that truth visible through additivemetadata.bindingFallbackMode = preserve-source-implicit-fallback, while explicit-binding shorthand candidates remain on the stricter existing path — GitHub issue#354; REST projection tests 75/75 plus REST runtime/hosting tests 55/55 (Sprint 36)ENG-058-T90typed shorthand REST binding-fallback runtime contract:Cephalon.Abstractionsnow exposesRestEndpointBindingFallbackModeplus typedBindingFallbackModeproperties onRestEndpointCandidateProjectionDescriptorandRestEndpointRuntimeDescriptor,Cephalon.Behaviors.HttpplusCephalon.AspNetCorenow project the preserved implicit query-fallback answer onto the original shorthand projection and the effective published endpoint directly, and additivemetadata.bindingFallbackMode = preserve-source-implicit-fallbackremains compatibility-only metadata instead of the canonical runtime truth — GitHub issue#355; REST projection/runtime hosting tests 130/130 plus package-surface tests 57/57 (Sprint 36)ENG-058-T91published REST endpoint candidate provenance link:Cephalon.Abstractionsnow exposes nullableRestEndpointRuntimeDescriptor.CandidateId,Cephalon.Behaviors.Httpnow stamps published behavior-backed endpoints with the original candidate id during materialization,Cephalon.AspNetCorenow projects that provenance through/engine/rest-endpointsplussnapshot.RestEndpoints, manual endpoints staynull, and overridden shorthand endpoints keep pointing back to the original candidate instead of drifting to the effective published endpoint id — GitHub issue#356; targeted REST runtime/hosting tests 4/4 plus package-surface tests 1/1 (Sprint 36)ENG-058-T92typed published REST authoring-style runtime contract:Cephalon.Abstractionsnow exposes first-classRestEndpointRuntimeDescriptor.AuthoringStyle,Cephalon.AspNetCorenow projects explicit module DSL, profile shorthand, generated shorthand, behavior-helper, and manual Minimal API values through/engine/rest-endpointsplussnapshot.RestEndpoints,Cephalon.Behaviors.Httpnow keeps candidate-projected endpoints aligned through the same runtime descriptor surface, and additivemetadata.authoringStyleremains compatibility-only metadata instead of the canonical published-endpoint authorship answer — GitHub issue#357; targeted REST runtime/hosting tests 5/5 plus package-surface tests 1/1 (Sprint 36)ENG-058-T93typed published REST route-boundary runtime contract:Cephalon.Abstractionsnow exposes first-classRestEndpointRuntimeDescriptor.RouteGroupPrefixplusRelativePattern,Cephalon.AspNetCorenow projects the resolved published route-group boundary for behavior-backed and behavior-helper endpoints through/engine/rest-endpointsplussnapshot.RestEndpointswhile manual Minimal API endpoints staynull,Cephalon.Behaviors.Httpkeeps candidate-projected endpoints aligned through the same typed route-boundary surface, and additivemetadata.routeGroupPrefixplusmetadata.relativePatternremain compatibility-only metadata instead of the canonical published-endpoint route-boundary answer — GitHub issue#358; targeted REST runtime/hosting tests 14/14 plus package-surface tests 1/1 (Sprint 36)ENG-058-T94typed published REST behavior-type runtime contract:Cephalon.Abstractionsnow exposes first-class nullableRestEndpointRuntimeDescriptor.BehaviorType,Cephalon.AspNetCorenow projects the concrete behavior implementation identity for behavior-backed and behavior-helper published endpoints through/engine/rest-endpointsplussnapshot.RestEndpointswhile pure manual Minimal API endpoints staynull,Cephalon.Behaviors.Httpkeeps shorthand candidateProjectedEndpointentries aligned through the same runtime descriptor surface, and additivemetadata.behaviorTyperemains compatibility-only metadata instead of the canonical published-endpoint behavior-implementation answer — GitHub issue#359; targeted REST runtime/hosting tests 3/3 plus package-surface tests 1/1 (Sprint 36)ENG-058-T95typed published REST source-id runtime contract:Cephalon.Abstractionsnow exposes first-class nullableRestEndpointRuntimeDescriptor.SourceId,Cephalon.AspNetCorenow projects the published source identity for behavior-backed, behavior-helper, and manual module-owned REST endpoints through/engine/rest-endpointsplussnapshot.RestEndpoints,Cephalon.Behaviors.Httpkeeps shorthand candidateProjectedEndpointentries aligned through the same runtime descriptor surface, and additivemetadata.sourceIdremains compatibility-only metadata instead of the canonical published-endpoint source-identity answer — GitHub issue#360; targeted REST runtime/hosting tests 3/3 plus package-surface tests 1/1 (Sprint 36)ENG-058-T96typed route-boundary materialization cleanup:Cephalon.Behaviors.Httpnow resolves shorthand published route groups from first-classProjectedEndpoint.RouteGroupPrefixduring ASP.NET Core materialization so compatibilitymetadata.routeGroupPrefixno longer participates in internal route mapping, and targeted hosting coverage now proves materialization still succeeds when the typed property is present and compatibility metadata is absent while route-group override and split-group regressions stay green — GitHub issue#361; targeted hosting tests 6/6 (Sprint 36)ENG-058-T97shorthand REST endpoint-metadata override governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorwithEndpointName,Summary, andDescription,Cephalon.AspNetCorenow binds and publishes those shorthand override actions through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides,Cephalon.Behaviors.Httpnow projects the same effective endpoint metadata onto shorthand candidates and only marks metadata-only overrides as applied when they materially change the effective answer, and the ASP.NET Core runtime now keeps actual endpoint metadata plus/engine/rest-endpointsaligned with that same governed truth — GitHub issue#362; targeted REST projection/runtime hosting tests 9/9 plus package-surface tests 1/1 (Sprint 36)ENG-058-T98shorthand REST capability-boundary override governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorwithRequiredCapabilityKeyandRestEndpointRuntimeDescriptorwith first-class nullableRequiredCapabilityKey,Cephalon.AspNetCorenow binds and publishes that shorthand override action through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides, materializes the effective capability boundary from actual endpoint metadata for both shorthand and manual module-owned REST routes, and now treats the lastRequireCapability(...)declaration as authoritative so a later host override can supersede an earlier shorthandconfigureEndpointguard without double-enforcing both keys, whileCephalon.Behaviors.Httpnow projects the same governed capability boundary onto shorthand candidates and applies it during materialization so/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotstay aligned with the actual runtime trust boundary — GitHub issue#363; targeted hosting tests 192/192 plus package-surface tests 65/65 (Sprint 36)ENG-058-T99shorthand REST capability-boundary clear governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorwithClearRequiredCapability,Cephalon.AspNetCorenow binds and publishes that shorthand override action through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides, rejects any one override rule that tries to both setRequiredCapabilityKeyand clear it, and materializes the clear through actual endpoint metadata and/engine/rest-endpointsso the effective runtime truth keepsRequiredCapabilityKey = nullwhen the clear wins, whileCephalon.Behaviors.Httpnow projects that same clear onto shorthand candidates and applies it during materialization so/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotstay aligned when a host intentionally removes an inherited shorthand capability boundary — GitHub issue#364; targeted hosting tests 144/144 plus package-surface tests 65/65 (Sprint 36)ENG-058-T100published REST capability provenance:Cephalon.Abstractionsnow extendsRestEndpointRuntimeDescriptorwith nullableOriginalRequiredCapabilityKeyplusAppliedOverrideId,Cephalon.Behaviors.Httpnow captures the source shorthand capability boundary during ASP.NET Core materialization before later host capability overrides run, andCephalon.AspNetCorenow projects that source-versus-effective capability lineage through/engine/rest-endpointsplussnapshot.RestEndpointswhile leaving endpoint-levelAppliedOverrideIdnull for capability-only no-op clear matches that do not change the published answer — GitHub issue#365; targeted hosting tests 146/146 plus package-surface tests 66/66 (Sprint 36)ENG-058-T101candidate no-op capability override truth:Cephalon.Behaviors.Httpnow registers shorthand runtime candidates after ASP.NET Core materialization and reconciles published candidate provenance against the actual mapped endpoint metadata, so/engine/rest-endpoint-candidatesplussnapshot.RestEndpointCandidatesnow leaveAppliedOverrideId = nullwhen a capability-only override rule matches but does not change the effective published boundary, including no-op clears and same-key capability rewrites, whileMatchedOverrideIdsstill shows that the host rule matched — GitHub issue#367; targeted REST projection/runtime hosting tests 147/147 (Sprint 36)ENG-058-T102published REST matched-override visibility:Cephalon.Abstractionsnow extendsRestEndpointRuntimeDescriptorwith orderedMatchedOverrideIds,Cephalon.Behaviors.Httpnow carries that same ordered shorthand override match set through behavior-backed endpoint materialization, andCephalon.AspNetCorenow projects it through/engine/rest-endpointsplussnapshot.RestEndpointsso the final published runtime answer keeps matched host override rules visible, including capability-only no-op matches that still leaveAppliedOverrideId = null— GitHub issue#368; targeted REST projection/runtime hosting tests 147/147 plus package-surface tests 66/66 (Sprint 36)ENG-058-T103published REST original shorthand projection visibility:Cephalon.Abstractionsnow extendsRestEndpointRuntimeDescriptorwith nullableOriginalProjection,Cephalon.Behaviors.Httpnow carries that pre-override shorthand method/route/document-version/binding-plan truth through behavior-backed endpoint materialization, andCephalon.AspNetCorenow projects it through/engine/rest-endpointsplussnapshot.RestEndpointsso operators can compare original-versus-effective published endpoint shape without a candidate-catalog join while manual and behavior-helper endpoints staynull— GitHub issue#369; targeted REST runtime/hosting tests 60/60 plus package-surface tests 67/67 (Sprint 36)ENG-058-T104published REST original shorthand endpoint-metadata visibility:Cephalon.Abstractionsnow extendsRestEndpointRuntimeDescriptorwith nullableOriginalEndpointName,OriginalSummary, andOriginalDescription,Cephalon.Behaviors.Httpnow carries that pre-override shorthand endpoint-metadata truth through shorthand candidate resolution plus behavior-backed endpoint materialization, andCephalon.AspNetCorenow projects it through/engine/rest-endpointsplussnapshot.RestEndpointswhile the candidate catalog keeps the same lineage visible onProjectedEndpoint; manual and behavior-helper endpoints keep the original-metadata trionull— GitHub issue#370; targeted REST runtime/hosting tests 60/60 plus package-surface tests 68/68 (Sprint 36)ENG-058-T105shorthand REST endpoint-metadata clear governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorandCephalon.AspNetCoreoverride options withClearEndpointName,ClearSummary, andClearDescription, both public contracts now fail fast when one rule tries to both set and clear the same endpoint-metadata field,Cephalon.Behaviors.Httpnow projects shorthand metadata clears into the same effective candidate/runtime truth used for publication, andCephalon.AspNetCorenow removes the effective endpoint name/summary/description from actual ASP.NET Core metadata plus/engine/rest-endpointswhile preserving original shorthand metadata lineage throughOriginalEndpointName,OriginalSummary, andOriginalDescription— GitHub issue#371; targeted REST projection tests 93/93 plus targeted REST runtime/hosting tests 61/61 plus package-surface tests 68/68 (Sprint 36)ENG-058-T106published REST endpoint-metadata no-op override truth:Cephalon.Behaviors.Httpnow captures source shorthand endpoint metadata during ASP.NET Core materialization, reconciles metadata-only shorthand override provenance against the actual mapped endpoint metadata, and keeps/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshottruthful when a matched metadata rewrite or clear rule does not change the published answer because the owning module already set or cleared the same metadata; those matches now keepMatchedOverrideIdsvisible while leavingAppliedOverrideId = nullfor the published candidate and endpoint runtime answers — GitHub issue#372; targeted REST projection tests 96/96 plus targeted REST runtime/hosting tests 63/63 plus package-surface tests 68/68 (Sprint 36)ENG-058-T107truthful shorthand REST tag override governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorplusRestEndpointCandidateProjectionDescriptorwithTagName,Cephalon.AspNetCorenow binds and publishes that shorthand override action through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrideswhile carrying original shorthand tag lineage throughRestEndpointRuntimeDescriptor.OriginalProjection, andCephalon.Behaviors.Httpnow applies tag rewrites only when they materially change the effective published answer while splitting effective materialization groups by route-group prefix plus tag so actual ASP.NET Core endpoint tag metadata,/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotstay aligned when only some candidates in one authored group are retagged — GitHub issue#373; targeted REST projection tests 100/100 plus targeted REST runtime/hosting tests 64/64 plus package-surface tests 70/70 (Sprint 36)ENG-058-T108truthful shorthand REST OpenAPI document-name governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorplusRestEndpointCandidateProjectionDescriptorwithOpenApiDocumentName,Cephalon.AspNetCorenow binds and publishes that shorthand override action through/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverrides, andCephalon.Behaviors.Httpnow adds.WithOpenApiDocumentName(...), keeps same-value document rewrites truthful, re-derives the effective document name fromApiVersionMajoronly when the authored shorthand group did not pin one explicitly, and splits effective materialization groups by route-group prefix plus document name plus tag so actual ASP.NET Core endpoint-group metadata,/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotstay aligned when only some candidates in one authored group move documents — GitHub issue#374; targeted REST projection tests 106/106 plus targeted REST runtime/hosting tests 66/66 plus package-surface tests 72/72 (Sprint 36)ENG-058-T109shorthand REST document-and-tag selector targeting:Cephalon.Abstractionsnow extendsRestEndpointSuppressionDescriptorplusRestEndpointOverrideDescriptorwithOpenApiDocumentNamesandTagNames,Cephalon.AspNetCorenow binds and publishes those selector arrays through/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, andsnapshot, andCephalon.Behaviors.Httpnow matches those selectors against the original shorthand document/tag identity before override actions are applied so hosts can target one of several same-behavior candidates without depending on rewritten route shape — GitHub issue#375; targeted REST projection tests 108/108 plus targeted REST runtime/hosting tests 68/68 plus package-surface tests 73/73 (Sprint 36)ENG-058-T110shorthand REST clear-bindings governance:Cephalon.Abstractionsnow extendsRestEndpointOverrideDescriptorandCephalon.AspNetCoreoverride options withClearBindings, ASP.NET Core config binding plus/engine/rest-endpoint-overridesandsnapshot.RestEndpointOverridesnow publish that shorthand-only reset action, andCephalon.Behaviors.Httpnow lets a host discard a shorthand candidate’s explicit binding plan so request composition returns to the implicit route/query/body baseline while failing fast if the effective route would only remain satisfiable through removed explicit route-binding aliases — GitHub issue#376; targeted REST projection tests 114/114 plus targeted REST runtime/hosting tests 70/70 plus package-surface tests 74/74 (Sprint 36)ENG-058-T111truthful shorthand REST binding-order no-op governance:Cephalon.Behaviors.Httpnow treats reorder-only override rewrites of an equivalent explicit binding set as no-op governance, keeps source explicit binding order authoritative on the projected candidate and published endpoint, and leavesAppliedOverrideId = nullwhile preservingMatchedOverrideIdswhen the effective binding semantics do not change — GitHub issue#377; targeted REST projection tests 115/115 plus targeted REST runtime/hosting tests 71/71 (Sprint 36)ENG-058-T112shared shorthand REST binding-equivalence truth across projection and materialization:Cephalon.Behaviors.Httpnow centralizes equivalent explicit binding-set comparison in one shared comparer used by candidate resolution,RestBehaviorEndpointProjection.WithBindings(...), and ASP.NET Core structural override reconciliation, so reorder-only equivalent binding sets stay semantic no-op governance even for synthetic or future candidate paths and published endpoints no longer stamp endpoint-level override provenance when only descriptor order changes — GitHub issue#378; targeted REST projection tests 117/117 plus targeted REST runtime/hosting tests 71/71 (Sprint 36)ENG-058-T113truthful shorthand REST governance diagnostics visibility:Cephalon.Behaviors.Httpnow publishes a stableCephalon.Behaviors.Httpdiagnostics convention through/engine/diagnosticswith initial event ids5200through5204for governance suppression, precedence suppression, applied overrides, no-op override matches, and preserved binding fallback, and startup mapping now emits those information-level events only when logging is enabled while reconciling published candidate answers against post-materialization runtime truth whenever the runtime candidate registry is active so no-op published endpoints do not falsely claim applied-override provenance;ENG-058-T124later extended that convention with authoring-policy suppression event5205, andENG-058-T131later extended it again with governance-skipped explicit-DSL event5206— GitHub issue#379; targeted REST projection tests 117/117 plus targeted REST runtime/hosting tests 73/73 (Sprint 36)ENG-058-T114truthful shorthand REST remaining-body fallback visibility:Cephalon.Abstractionsnow extendsRestEndpointBindingFallbackModewithPreserveRemainingBodyFallback,Cephalon.Behaviors.Httpnow resolves that typed fallback mode for body-capable behavior-backed REST endpoints whenever explicit bindings still leave deterministic remaining request-body surface, andCephalon.AspNetCorenow carries the same answer through actual endpoint metadata plus/engine/rest-endpointsandsnapshot.RestEndpointswhile keepingmetadata.bindingFallbackMode = preserve-remaining-body-fallbackas compatibility-only metadata — GitHub issue#380; targeted REST projection tests 118/118 plus targeted REST runtime/hosting tests 73/73 plus package-surface tests 75/75 (Sprint 36)ENG-058-T115truthful shorthand REST preserved-fallback diagnostics parity:Cephalon.Behaviors.Httpnow emitsRestEndpointBindingFallbackPreservedevent5204for any changed non-null typedBindingFallbackModeinstead of only the earlier implicit-query preservation case, so startup logging stays aligned when merge removal or other shorthand override reconciliation preservesPreserveRemainingBodyFallback; focused projection and hosting coverage now prove both the runtime-catalog answer and emitted logging for that body-fallback path — GitHub issue#381; targeted REST projection tests 119/119 plus targeted REST runtime/hosting tests 74/74 (Sprint 36)ENG-058-T116centralize shorthand REST binding-fallback wire names:Cephalon.Abstractionsnow exposesRestEndpointBindingFallbackModeExtensions.GetWireName()plusTryParseWireName(...)as the canonical compatibility bridge forRestEndpointBindingFallbackMode,Cephalon.AspNetCorenow derives additivemetadata.bindingFallbackModevalues from that helper instead of maintaining independent hardcoded strings, and the public XML/docs wording now describes both preserved implicit-query and remaining request-body fallback semantics truthfully — GitHub issue#382; targeted REST projection tests 119/119 plus targeted REST runtime/hosting tests 74/74 plus package-surface tests 77/77 (Sprint 36)ENG-058-T117compile-time shorthand REST route-pattern validation:Cephalon.Behaviors.SourceGennow rejects malformedBehaviorRestProfileAttribute.RelativePatternplaceholder syntax throughABT0026, withholds generatedGetRestProfiles()hints when the declared route pattern is malformed, andBehaviorRestProfileResolvernow parses declared route patterns during runtime normalization even when no explicit bindings are present so direct attribute fallback or stale generated hints still fail fast before shorthand publication can materialize an invalid route shape — GitHub issue#383; targeted source-generator tests 27/27 plus targeted REST runtime/hosting tests 120/120 (Sprint 36)ENG-058-T118shorthand REST binding-fallback selector targeting:Cephalon.Abstractionsnow extendsRestEndpointSuppressionDescriptorplusRestEndpointOverrideDescriptorwithBindingFallbackModes,Cephalon.AspNetCorenow binds and publishes those selector arrays through/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, andsnapshot, andCephalon.Behaviors.Httpnow matches those selectors against the original shorthandBindingFallbackModeidentity before override actions are applied so hosts can target one of several same-behavior candidates by preserved fallback semantics without depending on rewritten published shape — GitHub issue#384; targeted REST projection tests 120/120 plus targeted REST runtime/hosting tests 76/76 plus package-surface tests 78/78 (Sprint 36)ENG-058-T119profile-authored shorthand REST implicit query-fallback parity:Cephalon.Behaviors.Httpnow extendsBehaviorRestProfileAttributeplusBehaviorRestProfileDescriptorwithPreserveImplicitQueryFallbackso explicit metadata-only REST profiles can keep the remaining implicit query-string fallback surface intentionally,Cephalon.Behaviors.SourceGennow validates that authoring contract throughABT0027and carries the flag through generatedGetRestProfiles()output, andBehaviorRestProfileResolvernow re-checks the same rule during runtime fallback so shorthand projection/runtime surfaces keepPreserveSourceImplicitFallbackaligned for module-owned profile consumption — GitHub issue#385; targeted source-generator tests 29/29 plus targeted REST projection/runtime hosting tests 203/203 plus package-surface tests 1/1 (Sprint 36)ENG-058-T120shorthand REST original binding-plan selector targeting:Cephalon.Abstractionsnow extendsRestEndpointSuppressionDescriptorplusRestEndpointOverrideDescriptor, andCephalon.AspNetCoresuppression/override options, with exact original explicitTargetBindingsselector sets that the runtime catalogs publish through/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, andsnapshot;Cephalon.Behaviors.Httpnow matches those selectors against the original shorthand explicit binding-plan identity before override actions are applied, using descriptor-set equivalence so hosts can target route-only versus richer explicitly bound candidates without depending on rewritten published shape — GitHub issue#386; targeted REST projection/runtime hosting tests 6/6 plus package-surface tests 1/1 (Sprint 36)ENG-058-T121shorthand REST publication-group authoring-style visibility:Cephalon.Abstractionsnow exposesRestEndpointPublicationGroupAuthoringStyleDescriptor, andRestEndpointPublicationGroupDescriptor.AuthoringStyleSummariesnow derives a first-class per-authoring-style summary directly from the grouped candidate truth so/engine/rest-endpoint-publication-groupsplussnapshot.RestEndpointPublicationGroupsalso show which authoring styles participated, which remained published, and which were precedence-suppressed or governance-suppressed without changing publication semantics — GitHub issue#387; targeted REST runtime/hosting tests 3/3 plus package-surface tests 3/3 (Sprint 36)ENG-058-T122REST publication-group authoring-policy contract:Cephalon.Abstractionsnow also exposesRestEndpointPublicationGroupAuthoringPolicyDescriptor, grouped publication answers now also carryRestEndpointPublicationGroupDescriptor.AuthoringPolicy,RestApi:AuthoringPolicies:{behaviorId}now binds default-versus-configured authoring-policy intent forAllowMultiplePublishedCandidatesplus preferred/allowed/disallowed authoring styles, and/engine/rest-endpoint-publication-groupsplussnapshot.RestEndpointPublicationGroupsnow round-trip that effective policy without changing current publication semantics — GitHub issue#388; targeted REST runtime/hosting tests 4/4 plus package-surface tests 4/4 (Sprint 36)ENG-058-T123shorthand REST allow-multiple authoring-policy enforcement:Cephalon.Behaviors.Httpnow honorsRestApi:AuthoringPolicies:{behaviorId}:AllowMultiplePublishedCandidatesduring candidate resolution so lower-precedence unsuppressed shorthand candidates can remain published together when one grouped behavior boundary explicitly opts into that outcome, while route-collision validation remains authoritative and co-published shorthand candidates now disambiguate effective endpoint names deterministically by authoring style, route shape, and candidate identity while preservingOriginalEndpointNamelineage; the broader preferred/allowed/disallowed authoring-style enforcement then landed inENG-058-T124— GitHub issue#389; targeted REST projection tests 1/1 plus targeted REST runtime/hosting tests 3/3 (Sprint 36)ENG-058-T124shorthand REST authoring-policy suppression truth:Cephalon.Abstractionsnow exposesRestEndpointAuthoringPolicySuppressionKindplusRestEndpointCandidateRuntimeDescriptor.SuppressedByAuthoringPolicyKind, grouped publication answers now also expose authoring-policy-suppressed candidate buckets, andCephalon.Behaviors.Httpnow enforcesPreferredAuthoringStyle,AllowedAuthoringStyles, andDisallowedAuthoringStylesfor shorthandbehavior-module-profileandbehavior-module-generatedcandidates while keeping explicit module DSL publication authoritative; startup diagnostics/logging now also emit event5205for authoring-policy suppression so runtime truth distinguishes governance suppression, authoring-policy suppression, and candidate-precedence publication cleanly — GitHub issue#390; targeted REST projection tests 4/4 plus targeted REST runtime/hosting tests 4/4 plus package-surface tests 6/6 (Sprint 36)ENG-058-T125truthful shorthand REST selected-override visibility:Cephalon.Abstractionsnow exposes nullableSelectedOverrideIdon bothRestEndpointCandidateRuntimeDescriptorandRestEndpointRuntimeDescriptor,Cephalon.Behaviors.Httpnow keeps the winning shorthand override rule visible on published candidates and endpoints even when post-materialization reconciliation proves the rule was a runtime no-op andAppliedOverrideIdmust remainnull, and governance no-op diagnostics/logging now explicitly name the selected winning override instead of only echoing the matched set — GitHub issue#391; targeted REST projection/runtime hosting tests 10/10 plus package-surface tests 2/2 (Sprint 36)ENG-058-T126truthful shorthand REST governance selection-basis visibility:Cephalon.Abstractionsnow exposesRestEndpointGovernanceRuleSelectionBasisplus candidateSuppressionSelectionBasisandOverrideSelectionBasis,RestEndpointRuntimeDescriptornow also exposes endpoint-levelOverrideSelectionBasis, andCephalon.Behaviors.HttpplusCephalon.AspNetCorenow carry the earliest decisive specificity answer through shorthand candidate resolution, post-materialization publication,/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotso operators can see not only which rule won but why it beat the runner-up — GitHub issue#392; targeted REST projection/runtime hosting tests 6/6 plus package-surface tests 10/10 (Sprint 36)ENG-058-T127derive inline generated REST shorthand from module descriptor id:Cephalon.Behaviors.Httpnow exposesRestBehaviorEngineBuilderExtensions.AddGeneratedRestBehaviorModule<TMarker>(EngineBuilder, ModuleDescriptor, Action<IRestBehaviorEndpointGroupBuilder>?), which derives the generated behavior-id prefix fromModuleDescriptor.Idfor the common inline module case, reuses the same fail-fast deterministic route-group validation already enforced byGroupFromBehaviorIdPrefix(...), preserves the explicit overload when the module id and generated prefix should differ, and still never publishes public REST from[AppBehavior]alone — GitHub issue#393; targeted REST runtime/hosting tests 4/4 plus package-surface tests 1/1 (Sprint 36)ENG-058-T128explicit module-DSL host-governance opt-in:Cephalon.Behaviors.Httpnow exposesIRestBehaviorEndpointGroupBuilder.AllowHostGovernance(), which lets an explicit module-owned route group opt into ASP.NET CoreRestApi:SuppressionsandRestApi:Overrideswithout changing its authoring style;Cephalon.Abstractionsnow keeps that runtime truth visible throughRestEndpointCandidateProjectionDescriptor.AllowsHostGovernanceplus publishedOriginalProjection, shorthand candidates still participate by default, and host rules still leave explicit module DSL out of scope unless they explicitly target authoring stylebehavior-module-dsl— GitHub issue#394; targeted REST runtime/hosting tests 5/5 plus package-surface tests 98/98 (Sprint 36)ENG-058-T129explicit REST governance-skipped visibility:Cephalon.Abstractionsnow exposes orderedSkippedSuppressionIdsandSkippedOverrideIdson bothRestEndpointCandidateRuntimeDescriptorandRestEndpointRuntimeDescriptor, andCephalon.Behaviors.HttpplusCephalon.AspNetCorenow keep those skipped rule ids visible when host suppression or override rules target an explicit module-DSL candidate that did not opt into host governance;Matched*, suppression, precedence, and authoring-policy truth remain unchanged, so runtime operators can distinguish governance-ineligible explicit ownership from a selector miss — GitHub issue#395; targeted REST projection/runtime hosting tests 5/5 plus package-surface tests 98/98 (Sprint 36)ENG-058-T130grouped REST host-governance eligibility and skipped-rule visibility:Cephalon.Abstractionsnow exposes groupedHostGovernanceEligibleCandidateIds,HostGovernanceIneligibleCandidateIds,SkippedSuppressionIds, andSkippedOverrideIdson bothRestEndpointPublicationGroupDescriptorandRestEndpointPublicationGroupAuthoringStyleDescriptor, and the ASP.NET Core publication-group runtime catalog now derives those summaries directly from candidate truth so/engine/rest-endpoint-publication-groupsplussnapshot.RestEndpointPublicationGroupskeep explicit module-DSL governance ineligibility visible without candidate-by-candidate reconstruction — GitHub issue#396; targeted REST publication-group hosting tests 2/2 plus package-surface tests 1/1 (Sprint 36)ENG-058-T131skipped explicit REST governance diagnostics:Cephalon.Behaviors.Httpnow extends the stableCephalon.Behaviors.Httpdiagnostics convention withRestEndpointGovernanceSkippedevent5206, and startup materialization now emits that information-level log when host suppression or override rules target an explicit module-DSL candidate that did not opt into host governance, so/engine/diagnosticsplus startup logging distinguish governance-ineligible explicit ownership from selector misses and actual winning host rules while echoing the skipped suppression and override ids — GitHub issue#397; targeted REST runtime/hosting tests 5/5 (Sprint 36)ENG-058-T132configured and effective REST override action visibility:Cephalon.Abstractionsnow exposes typedRestEndpointOverrideActionKind, configuredRestEndpointOverrideDescriptor.ActionKinds, and selected-versus-applied override action kinds on bothRestEndpointCandidateRuntimeDescriptorandRestEndpointRuntimeDescriptor, whileCephalon.AspNetCoreplusCephalon.Behaviors.Httpnow propagate those declared-versus-effective action dimensions through/engine/rest-endpoint-overrides,/engine/rest-endpoint-candidates,/engine/rest-endpoints, andsnapshotso no-op override winners keep their selected dimensions visible without falsely claiming a material runtime rewrite — GitHub issue#398; targeted REST runtime/hosting tests 2/2 plus package-surface tests 3/3 (Sprint 36)ENG-058-T133REST override action visibility in governance diagnostics:Cephalon.Behaviors.Httpnow extends the stable override-applied and override-no-op diagnostics story so startup logging and/engine/diagnosticsboth expose selected-versus-applied override action-kind wire names beside the winning override ids, keeping the operator log surface aligned with the runtime-catalog truth fromENG-058-T132without forcing manual route diffs — GitHub issue#399; targeted REST runtime/hosting tests 2/2 (Sprint 36)ENG-058-T134REST governance selection-basis visibility in startup diagnostics:Cephalon.Behaviors.Httpnow extends the stable governance diagnostics story so startup logging and/engine/diagnosticsexpose the decisive suppression selection-basis wire name on event5200plus the decisive override selection-basis wire name on events5202and5203, keeping operator-facing startup truth aligned with the runtime-catalogSuppressionSelectionBasis/OverrideSelectionBasisanswers fromENG-058-T126— GitHub issue#401; targeted REST runtime/hosting tests 2/2 (Sprint 36)ENG-058-T135REST binding-fallback wire-name parity in startup diagnostics:Cephalon.Behaviors.Httpnow logsRestEndpointBindingFallbackPreservedevent5204with the stableRestEndpointBindingFallbackModewire name fromRestEndpointBindingFallbackModeExtensions.GetWireName()instead of the raw enum member name, keeping startup operator truth aligned with JSON serialization, additive compatibility metadata, and the runtime-catalogBindingFallbackModecontract — GitHub issue#402; targeted REST runtime/hosting tests 2/2 (Sprint 36)ENG-058-T136strict REST binding-fallback selector wire-name parsing:Cephalon.AspNetCorenow treatsRestApi:Suppressions:*:BindingFallbackModesandRestApi:Overrides:*:BindingFallbackModesas wire-name-only config surfaces, rejecting legacy PascalCase enum-member aliases so host governance, runtime catalogs, diagnostics, and compatibility metadata all share the same stable fallback-mode vocabulary end-to-end — GitHub issue#403; targeted REST runtime/hosting tests 2/2 (Sprint 36)ENG-058-T137REST override binding-mode wire-name parity:Cephalon.Abstractionsnow exposesRestEndpointOverrideBindingModeExtensionsplus stablereplace-explicit/merge-explicitJSON wire names forRestEndpointOverrideBindingMode, andCephalon.AspNetCorenow treatsRestApi:Overrides:*:BindingModeas the same wire-name-only config surface so host governance config, runtime catalogs, and serialized override truth all use one canonical vocabulary while rejecting legacy PascalCase enum-member aliases — GitHub issue#404; targeted REST runtime/hosting tests 2/2 plus package-surface tests 3/3 (Sprint 36)ENG-058-T138REST override binding-mode unspecified wire-name parity:Cephalon.Abstractionsnow givesRestEndpointOverrideBindingMode.Unspecifiedthe stable JSON/runtime wire nameunspecified, and/engine/rest-endpoint-overridesplussnapshot.RestEndpointOverridesnow preserve that canonical wire name forClearBindingsrules that omitted an explicit binding mode while other rules still normalize toreplace-explicitormerge-explicit;Cephalon.AspNetCorestill keepsRestApi:Overrides:*:BindingModeexplicit-mode-only for host config (replace-explicit/merge-explicit) — GitHub issue#405; targeted REST runtime/hosting tests 1/1 plus package-surface tests 4/4 (Sprint 36)ENG-058-T139REST binding-source wire-name parity:Cephalon.Abstractionsnow exposesRestEndpointBindingSourceExtensionsplus stableroute/query/header/bodyJSON wire names forRestEndpointBindingSource,Cephalon.AspNetCorenow treatsRestApi:Overrides:*:Bindings:*:Source,RestApi:Overrides:*:TargetBindings:*:Source, andRestApi:Suppressions:*:TargetBindings:*:Sourceas the same wire-name-only config surface, runtime binding-descriptor JSON now uses that canonical vocabulary across/engine/rest-endpoints,/engine/rest-endpoint-overrides,/engine/rest-endpoint-suppressions, andsnapshot, and the hand-authored docs now correct theT138wording sobindingMode = unspecifiedis described as aClearBindings-only preserved omission case — GitHub issue#406; targeted REST runtime/hosting tests 7/7 plus package-surface tests 6/6 (Sprint 36)ENG-058-T140stabilize REST candidate-status wire names:Cephalon.Abstractionsnow exposesRestEndpointCandidateStatusExtensionsplus stablepublished/suppressedJSON wire names forRestEndpointCandidateStatus, and/engine/rest-endpoint-candidates,/engine/rest-endpoint-candidates/{candidateId}, andsnapshot.RestEndpointCandidatesnow expose candidate publication state through that canonical operator-facing vocabulary instead of raw enum-number serialization — GitHub issue#407; targeted REST runtime/hosting tests 1/1 plus package-surface tests 4/4 (Sprint 36)ENG-058-T141normalize behavior REST binding-source wire names:Cephalon.Behaviors.Httpnow exposesBehaviorRestBindingSourceExtensionsplus stableroute/query/header/bodyJSON wire names forBehaviorRestBindingSource, andCephalon.Behaviors.SourceGennow validates[BehaviorRestBinding]metadata against that canonical wire-name vocabulary while still emitting the resolved enum member names into generatedGetRestProfiles()hints so future enum-member renames that preserve the wire-name contract do not break module-owned REST shorthand — GitHub issue#408; targeted source-generator tests 3/3 plus package-surface tests 6/6 (Sprint 36)ENG-058-T142normalize behavior REST method wire names:Cephalon.Behaviors.Httpnow exposesBehaviorRestMethodExtensionsplus stableget/post/put/patch/deleteJSON wire names forBehaviorRestMethod, andCephalon.Behaviors.SourceGennow validates[BehaviorRestProfile]metadata against that canonical wire-name vocabulary while still emitting the resolved enum member names into generatedGetRestProfiles()hints so future enum-member renames that preserve the wire-name contract do not break module-owned REST shorthand — GitHub issue#409; targeted source-generator tests 4/4 plus package-surface tests 7/7 (Sprint 36)ENG-058-T143align behavior REST runtime guidance with stable wire names:Cephalon.Behaviors.Httpnow reuses the same canonicalget/post/put/patch/deleteandroute/query/header/bodyvocabularies in runtime attribute-fallback and explicit binding-plan normalization errors, soMapProfile<TBehavior>()fallback, binding-plan normalization, and last-mile profile-method conversion keep operator guidance aligned with JSON serialization and source generation — GitHub issue#410; targeted hosting/runtime tests 3/3 (Sprint 36)ENG-058-T144finish behavior REST method-guidance parity:Cephalon.Behaviors.Httpnow also reuses the canonicalget/post/put/patch/deletevocabulary in non-body method body-binding rejections and unsupported REST method parser failures, so source generation, JSON serialization, runtime fallback, body-capability validation, and parser guidance all point at one stable behavior-authored REST method contract — GitHub issue#411; targeted hosting/runtime tests 3/3 (Sprint 36)ENG-058-T145lock authoring-policy suppression wire names in runtime JSON:/engine/rest-endpoint-candidates,/engine/rest-endpoint-candidates/{candidateId}, andsnapshot.RestEndpointCandidatesnow have targeted hosting/runtime coverage that locksSuppressedByAuthoringPolicyKindonto the canonicaldisallowed-authoring-style,not-allowed-authoring-style, andpreferred-authoring-style-selectedwire names, so operator-facing shorthand-governance payloads do not drift back to raw enum-member or numeric serialization behavior — GitHub issue#412; targeted hosting/runtime tests 1/1 (Sprint 36)ENG-058-T146surface authoring-policy suppression kinds in publication groups:Cephalon.Abstractionsnow exposesRestEndpointPublicationGroupAuthoringPolicySuppressionDescriptor, grouped publication answers now also publishAuthoringPolicySuppressionSummariesat both the behavior-group level and inside eachRestEndpointPublicationGroupAuthoringStyleDescriptor, and/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, plussnapshot.RestEndpointPublicationGroupsnow keep the canonical groupeddisallowed-authoring-styleandnot-allowed-authoring-stylesuppression breakdown visible without re-reading the candidate catalog — GitHub issue#413; targeted hosting/runtime tests 2/2 plus package-surface tests 3/3 (Sprint 36)ENG-058-T147surface grouped governance rule summaries in publication groups:Cephalon.Abstractionsnow exposesRestEndpointPublicationGroupGovernanceSuppressionSummaryDescriptorplusRestEndpointPublicationGroupGovernanceOverrideSummaryDescriptor, grouped publication answers now also publishGovernanceSuppressionSummariesandGovernanceOverrideSummariesat both the behavior-group level and inside eachRestEndpointPublicationGroupAuthoringStyleDescriptor, and/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, plussnapshot.RestEndpointPublicationGroupsnow keep matched-versus-suppressed and matched/selected/applied host-rule outcomes visible, including no-op override winners whose applied bucket stays empty, without re-reading the candidate catalog — GitHub issue#414; targeted hosting/runtime tests 3/3 plus package-surface tests 4/4 (Sprint 36)ENG-058-T148surface grouped skipped-governance rule summaries in publication groups:Cephalon.Abstractionsnow exposesRestEndpointPublicationGroupGovernanceSkippedSuppressionSummaryDescriptorplusRestEndpointPublicationGroupGovernanceSkippedOverrideSummaryDescriptor, grouped publication answers now also publishSkippedSuppressionSummariesandSkippedOverrideSummariesat both the behavior-group level and inside eachRestEndpointPublicationGroupAuthoringStyleDescriptor, and/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, plussnapshot.RestEndpointPublicationGroupsnow keep per-rule candidate mappings for governance-ineligible explicit module-DSL routes visible without re-reading the candidate catalog — GitHub issue#415; targeted hosting/runtime tests 4/4 plus package-surface tests 8/8 (Sprint 36)ENG-058-T149surface grouped governance provenance in publication groups:Cephalon.Abstractionsnow exposesRestEndpointPublicationGroupGovernanceSelectionBasisSummaryDescriptorplusRestEndpointPublicationGroupGovernanceOverrideActionKindSummaryDescriptor, grouped suppression summaries now also publishSelectionBasisSummaries, grouped override summaries now also publishSelectionBasisSummariesplusSelectedActionKindSummaries/AppliedActionKindSummaries, and/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-publication-groups/{behaviorId}, plussnapshot.RestEndpointPublicationGroupsnow keep grouped decisive governance-precedence and declared-versus-effective override-action visibility aligned with candidate runtime truth without re-reading the candidate catalog — GitHub issue#416; targeted hosting/runtime tests 4/4 plus package-surface tests 10/10 (Sprint 36)ENG-058-T150surface rule-centric REST governance effects:Cephalon.Abstractionsnow extendsRestEndpointSuppressionDescriptorwithMatchedCandidateIds,SuppressedCandidateIds,SkippedCandidateIds, andSelectionBases, and extendsRestEndpointOverrideDescriptorwithMatchedCandidateIds,SelectedCandidateIds,AppliedCandidateIds,SkippedCandidateIds,SelectionBases,SelectedActionKinds, andAppliedActionKinds;Cephalon.AspNetCorenow derives those per-rule runtime-effect buckets lazily from the candidate runtime catalog so/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, and the matching snapshot surfaces answer both configured rule intent and actual runtime footprint without manually rejoining candidate payloads — GitHub issue#417; targeted hosting/runtime tests 4/4 plus package-surface tests 1/1 (Sprint 36)ENG-058-T151surface rule-centric REST governance provenance summaries:Cephalon.Abstractionsnow exposes reusableRestEndpointGovernanceSelectionBasisSummaryDescriptorandRestEndpointGovernanceOverrideActionKindSummaryDescriptorcontracts, extendsRestEndpointSuppressionDescriptorwith groupedSelectionBasisSummaries, and extendsRestEndpointOverrideDescriptorwith groupedSelectionBasisSummaries,SelectedActionKindSummaries, andAppliedActionKindSummaries;Cephalon.AspNetCorenow derives those grouped per-rule provenance buckets from the same candidate runtime catalog so/engine/rest-endpoint-suppressions,/engine/rest-endpoint-overrides, and the matching snapshot surfaces can answer which candidate ids belonged to each decisive basis or override-action bucket without reopening grouped publication answers — GitHub issue#418; targeted hosting/runtime tests 3/3 plus package-surface tests 3/3 (Sprint 36)ENG-058-T152surface rule-centric REST authoring-policy runtime catalog:Cephalon.Abstractionsnow exposesIRestEndpointAuthoringPolicyRuntimeCatalog,RestEndpointAuthoringPolicyDescriptor, andRestEndpointAuthoringPolicySuppressionSummaryDescriptor;Cephalon.AspNetCorenow derives one behavior-level authoring-policy runtime answer from configuredRestApi:AuthoringPoliciesplus candidate truth, publishes/engine/rest-endpoint-authoring-policies,/engine/rest-endpoint-authoring-policies/{behaviorId}, and the matching snapshot surface, keeps explicitly configured-but-unmatched policies visible, and separates retained/published/precedence/governance buckets plus grouped authoring-policy suppression summaries without reopening grouped publication answers — GitHub issue#419; targeted hosting/runtime tests 3/3 plus package-surface tests 2/2 (Sprint 36)ENG-058-T153surface rule-centric REST authoring-policy style summaries:Cephalon.Abstractionsnow also exposesRestEndpointAuthoringPolicyAuthoringStyleDescriptor,RestEndpointAuthoringPolicyDescriptornow also carriesAuthoringStyleSummaries, andCephalon.AspNetCorenow derives per-authoring-style candidate, retained, published, precedence-suppressed, governance-suppressed, and authoring-policy-suppressed buckets plus grouped suppression summaries for/engine/rest-endpoint-authoring-policies,/engine/rest-endpoint-authoring-policies/{behaviorId}, andsnapshot.RestEndpointAuthoringPolicies, while explicitly configured-but-unmatched policies keep an empty style-summary set — GitHub issue#420; targeted hosting/runtime tests 3/3 plus package-surface tests 3/3 (Sprint 36)ENG-058-T154surface rule-centric REST authoring-policy governance eligibility and skipped-rule visibility:RestEndpointAuthoringPolicyDescriptorandRestEndpointAuthoringPolicyAuthoringStyleDescriptornow also keepHostGovernanceEligibleCandidateIds,HostGovernanceIneligibleCandidateIds,SkippedSuppressionIds, andSkippedOverrideIds, andCephalon.AspNetCorenow derives those behavior-level and per-style governance-eligibility buckets directly from candidate runtime truth so/engine/rest-endpoint-authoring-policies,/engine/rest-endpoint-authoring-policies/{behaviorId}, andsnapshot.RestEndpointAuthoringPolicieskeep explicit ownership and skipped host-rule visibility readable without reopening grouped publication answers — GitHub issue#421; targeted hosting/runtime tests 4/4 plus package-surface tests 3/3 (Sprint 36)ENG-058-T155surface rule-centric REST authoring-policy governance summaries:Cephalon.Abstractionsnow exposes reusableRestEndpointGovernanceSuppressionSummaryDescriptor,RestEndpointGovernanceOverrideSummaryDescriptor,RestEndpointGovernanceSkippedSuppressionSummaryDescriptor, andRestEndpointGovernanceSkippedOverrideSummaryDescriptor;RestEndpointAuthoringPolicyDescriptorplusRestEndpointAuthoringPolicyAuthoringStyleDescriptornow also carry grouped governance suppression, override, and skipped-rule summaries; andCephalon.AspNetCorenow derives those rule summaries directly from candidate runtime truth so/engine/rest-endpoint-authoring-policies,/engine/rest-endpoint-authoring-policies/{behaviorId}, andsnapshot.RestEndpointAuthoringPoliciescan answer matched-versus-suppressed, selected-versus-applied, and skipped-rule candidate mappings without reopening grouped publication answers — GitHub issue#422; targeted hosting/runtime tests 5/5 plus package-surface tests 6/6 (Sprint 36)ENG-058-T156shorthand REST original endpoint-name selector targeting:Cephalon.Abstractionsnow extendsRestEndpointSuppressionDescriptorplusRestEndpointOverrideDescriptor, andCephalon.AspNetCoresuppression/override options, withEndpointNames;Cephalon.Behaviors.Httpnow matches those selectors againstProjectedEndpoint.OriginalEndpointNamebefore override actions are applied so hosts can target one of several same-behavior shorthand candidates by authored endpoint metadata without depending on rewritten published shape, selector specificity now countsEndpointNamesconsistently, the suppression/override runtime catalogs publish those selector arrays directly, andCephalon.AspNetCorenow rebuilds authoring-policy governance summaries through host-local builders instead of abstraction-internal helpers so the assembly boundary stays clean — issue #423; targeted hosting/runtime tests 3/3 plus package-surface tests 1/1 (Sprint 36)ENG-058-T157shorthand REST inline-helper convenience overloads:Cephalon.Behaviors.Httpnow addsmoduleId/displayName/descriptionconvenience overloads forAddRestBehaviorModule<TMarker>(),AddGeneratedRestBehaviorModule<TMarker>(configureGroup?), andAddGeneratedRestBehaviorModule<TMarker>(behaviorIdPrefix, configureGroup?)so hosts can keep the inline module-owned REST path terse without manually constructingModuleDescriptor; the new overloads delegate to the existing descriptor-based helpers, preserve the same marker-based source-assembly plus module-identity semantics, keep the normalized projection/materialization/candidate/governance pipeline unchanged, and retain the explicit generatedbehaviorIdPrefixescape hatch when inline module identity and generated ownership should differ — issue #424; targeted hosting/runtime tests 6/6 plus package-surface tests 1/1 (Sprint 36)ENG-058-T158shorthand REST governance-scope selector targeting:Cephalon.Behaviors.Httpnow addsIRestBehaviorEndpointGroupBuilder.WithHostGovernanceScope(...), route groups now preserve that authored scope throughRestEndpointCandidateProjectionDescriptor.HostGovernanceScope,Cephalon.AbstractionsplusCephalon.AspNetCoresuppression/override contracts now exposeHostGovernanceScopes, selector matching plus specificity now count that dimension consistently, and explicit module-DSL routes can carry a governance scope without entering host governance unlessAllowHostGovernance()still opts them in separately — issue #425; targeted hosting/runtime tests 8/8 plus package-surface tests 5/5 (Sprint 36)ENG-058-T159scope-first shorthand REST governance targeting:RestEndpointSuppressionOptionsandRestEndpointOverrideOptionsnow treatHostGovernanceScopesas a primary selector besideCandidateIds,Behaviors, andModules, so scope-only host-governance rules no longer fail fast while empty-selector rules still do; targeted runtime coverage now proves that scope-only rules work for shorthand candidates and governable explicit module-DSL routes without hiding original-versus-effective runtime truth — issue #426; targeted projection tests 4/4 plus targeted hosting/runtime tests 6/6 (Sprint 36)ENG-058-T160scope-first REST runtime parity and action-family provenance: scope-onlyHostGovernanceScopestargeting is now explicitly proven through the suppression, override, publication-group, authoring-policy, and snapshot answers without falling back to behavior-id selectors, and ASP.NET Core materialization now only emits applied override provenance when the selected rule’s own capability or endpoint-metadata action family materially changed the published answer so capability-only no-op matches remain selected-only — issue #427; filtered hosting/runtime suites 245/245 plus package-surface tests 146/146 (Sprint 36)ENG-058-T161explicit preserved query-fallback placeholder promotion:Cephalon.Behaviors.Httpnow lets shorthand profiles that already declare explicit bindings and intentionally preserve source implicit query fallback promote that remaining query surface into added route placeholders through host overrides, keepsPreserveImplicitQueryFallbackaligned through override normalization whenever the effective binding plan still has explicit bindings and should retain that source contract, and now clears candidate/publishedBindingFallbackModetruthfully once the effective binding plan fully consumes the preserved fallback surface — issue #480; targeted projection tests 4/4 plus targeted hosting/runtime tests 4/4 (Sprint 36)ENG-058-T162merge-mode explicit-query binding-withdrawal safety and preserved runtime truth:Cephalon.Behaviors.Httpnow rejectsmerge-explicitshorthand overrides that would stop explicitly binding a source query-bound property on non-body methods unless the source profile explicitly preserved implicit query fallback or the host clears bindings entirely, and candidate plus published runtime truth now keepOriginalProjection.BindingFallbackModeas authored-source truth whileProjectedEndpoint.BindingFallbackModecan surface newly re-exposedPreserveSourceImplicitFallbackafter the override — issue #481; targeted projection tests 2/2 plus targeted hosting/runtime tests 2/2 (Sprint 36)ENG-058-T163low-code generated REST profile-group shorthand with preserved module ownership:Cephalon.Behaviors.Httpnow exposesIRestBehaviorModuleBuilder.MapGeneratedProfileGroups(string)plus the shared-group-configuration overload so an owning module can fan one generated behavior-id root prefix out into several derived route groups without restating each group manually; Cephalon groups matching generated profiles by their parent behavior-id prefix, reusesGroupFromBehaviorIdPrefix(...)derivation plus the same owning-module sourcegen-first profile resolution path, applies shared group-level conventions before publication, and keeps generated publication on the existingbehavior-module-generatedcandidate, publication-group, governance, and runtime-catalog path instead of inventing a new publication source — issue #482; targeted projection tests 1/1 plus targeted hosting/runtime tests 1/1 plus package-surface tests 1/1 (Sprint 36)ENG-058-T164behavior-id-prefix REST governance selectors with preserved runtime truth:Cephalon.Abstractionsnow extends the REST suppression/override contracts andCephalon.AspNetCoreconfig binding withBehaviorIdPrefixes, those prefixes now count as primary selectors beside exact candidate/behavior/module/scope selectors,Cephalon.Behaviors.Httpnow matches them against the original dot-separated behavior-id hierarchy before override actions are applied so hosts can govern one generated grouped subtree without enumerating every exact behavior id, exact behavior-id rules still beat broader prefixes while longer prefixes beat shorter ones through the stablenarrower-behavior-scopebasis, and the suppression/override runtime catalogs plussnapshotnow keep the configured prefix arrays and decisive selection-basis truth visible directly — issue #483; filtered hosting/runtime suites 260/260 plus package-surface tests 2/2 (Sprint 36)ENG-058-T165behavior-id-prefix grouped-operator parity across publication groups and authoring policies: targeted ASP.NET Core hosting coverage now explicitly proves that the exact-versus-prefix shorthand governance story fromBehaviorIdPrefixesflows through/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-authoring-policies, and the matchingsnapshotanswers, including per-authoring-style grouped summaries where broader prefix rules stay visible as matched-only suppression or override outcomes beside narrower exact winners — issue #484; filtered hosting/runtime suites 4/4 (Sprint 36)ENG-058-T166behavior-id-prefix skipped-governance parity across grouped REST operator surfaces: targeted ASP.NET Core hosting coverage now explicitly proves that prefix-targeted suppression and override rules still surface as skipped outcomes when they match an explicit module-DSL behavior subtree that did not opt into host governance, keeping/engine/rest-endpoint-publication-groups,/engine/rest-endpoint-authoring-policies, direct runtime catalogs, andsnapshotaligned on skipped rule ids and summaries instead of falsely implying a selector miss — issue #485; filtered hosting/runtime suites 4/4 (Sprint 36)ENG-058-T167inline grouped generated REST module helper with preserved module ownership:Cephalon.Behaviors.Httpnow exposesRestBehaviorEngineBuilderExtensions.AddGeneratedRestBehaviorModuleGroups<TMarker>()so hosts can keep theMapGeneratedProfileGroups(...)path low-code without a dedicated module class; the helper still materializes a real module, delegates to the same grouped generated projection/publication-group/governance/runtime-catalog pipeline, lets the common overload derive the grouped generated root prefix from the inline module id while preserving explicitbehaviorIdPrefixandModuleDescriptoroverloads when identity or metadata should differ, and now reuses the same fail-fast dot-separated prefix validation across grouped generated helper entry points — issue #486; targeted hosting/runtime tests 5/5 plus package-surface tests 1/1 (Sprint 36)ENG-058-T168behavior-backed REST module starter template:Cephalon.TemplatePacknow shipscephalon-rest-behavior-moduleso module authors can start directly fromRestBehaviorModuleBaseplus a profiled starter behavior mapped throughMapProfile<TBehavior>()instead of beginning from the genericIRestModulepath and migrating later; the new starter keeps package-manifest output aligned, demonstrates localized behavior-backed REST ownership with the recommended module-owned DSL, and extends template-pack smoke coverage to install and generate the new starter alongside the existing blueprint and module templates — issue #487; targeted template-pack tests 3/3 (Sprint 36)ENG-058-T169REST docs closeout posture and compatibility guidance: the remaining adoption-facing REST docs now describe the shipped engine-first module-owned baseline as a settled strategy rather than an active feature roadmap, steer new behavior-backed public APIs towardcephalon-rest-behavior-moduleplusRestBehaviorModuleBase, align compatibility guidance with the shipped REST authoring/governance/runtime contract, and record that any future new publication sources remain deferred unless they preserve the same runtime-truth pipeline — issue #488; docs-only alignment review, no automated tests (Sprint 36)ENG-058-T170align scaffolded REST apps with behavior-backed module ownership:Cephalon.Scaffolding,Cephalon.TemplatePack, and the shipped blueprint samples now keep REST-enabled public starter modules onRestBehaviorModuleBase.ConfigureRestBehaviors(...).MapProfile<TBehavior>()instead ofModuleBaseplusIEndpointModule; REST-enabled scaffold/template outputs now addCephalon.Behaviors.Http, generated README guidance now points teams at the module-owned behavior-backed public REST baseline, and tooling coverage now locks that starter path whilecephalon-rest-moduleandCephalon.ReferenceModule.Operationsremain the generic non-behavior path — issue #489; targeted tooling tests 11/11 (Sprint 36)ENG-058-T171host-governed preserved implicit-query fallback for explicit shorthand withdrawals:Cephalon.Abstractionsnow exposesRestEndpointOverrideActionKind.PreserveImplicitQueryFallbackplusPreserveImplicitQueryFallbackon REST override contracts,Cephalon.AspNetCorenow bindsRestApi:Overrides:*:PreserveImplicitQueryFallbackand surfaces that declared-versus-applied action through the runtime override catalogs, andCephalon.Behaviors.Httpnow allows merge-mode explicit query-binding withdrawals on non-body methods when a winning override intentionally preserves the remaining source query surface so candidate/publishedBindingFallbackModetruth stays aligned with runtime behavior — issue #490; filtered hosting/runtime suites 271/271 plus package-surface tests 151/151 (Sprint 36)ENG-058-T172REST projection-governance benchmark and release guardrails:Cephalon.Benchmarksnow addsRestEndpointProjectionGovernanceBenchmarks.BuildMapGovernedRestCatalogsas the first engine-first ASP.NET Core REST startup/materialization lane for generated/profile/DSL precedence, shorthand-only authoring-policy enforcement, grouped generated ownership, suppression and override selection, explicit.ApiVersion(...)group authority, and preserved implicit query fallback;Cephalon.Behaviors.SourceGennow emitsBehaviorRestProfileDescriptor.PreserveImplicitQueryFallbackwith the correct named argument casing so source-generated shorthand metadata stays buildable; andscripts/validate-release.ps1, benchmark docs, README guidance, the guardrail catalog, plus a shared in-process benchmark smoke config now keep that REST lane and the shipped hot-path guardrail catalog in the default release-validation posture — issue #491; focused REST benchmark run plus guardrail validation (Sprint 36)ENG-058-T173context-aware grouped generated REST configuration with preserved module ownership:Cephalon.Behaviors.Httpnow exposes derived-prefix-awareIRestBehaviorModuleBuilder.MapGeneratedProfileGroups(...)and matchingRestBehaviorEngineBuilderExtensions.AddGeneratedRestBehaviorModuleGroups<TMarker>(...)overloads so one owning module or inline helper can configure each derived generated group with awareness of its exact generated behavior-id prefix; Cephalon now keeps per-branch API-version, tag, and governance-scope conventions low-code while preserving the same sourcegen-first grouped generated projection,behavior-module-generatedauthoring style, publication-group, governance, and runtime-catalog path instead of forcing manual group enumeration or inventing a new publication source — issue #492; filtered projection/runtime suites 273/273 plus package-surface tests 151/151 (Sprint 36)ENG-058-T174request-time REST feature-flag boundaries with preserved published runtime truth:Cephalon.Abstractionsnow extendsRestEndpointRuntimeDescriptorwith orderedRequiredFeatureFlagIdsplusOriginalRequiredFeatureFlagIds, extends REST override contracts withRequiredFeatureFlagIdsplusClearRequiredFeatureFlags, and adds the matching override action kinds;Cephalon.AspNetCorenow exposesRequireFeatureFlag(...),RequireFeatureFlags(...), andClearRequiredFeatureFlags()for REST endpoints, evaluates those boundaries at request time throughIFeatureTogglewhile preserving the active host environment in the HTTP evaluation context, and keeps/engine/rest-endpoints,/engine/rest-endpoint-overrides, andsnapshot.RestEndpointsaligned with the same effective-versus-original feature-boundary truth;Cephalon.Behaviors.Httpnow carries that same feature-boundary governance through shorthand candidate projection and published endpoint materialization so feature-only no-op matches stay selected-only while real rewrites surface applied override provenance — issue #502; filtered hosting/runtime suites 283/283 plus package-surface tests 157/157 (Sprint 36)ENG-058-T175behavior-level feature-flag execution with preserved module ownership and runtime truth:Cephalon.Abstractionsnow extends behavior topology with orderedRequiredFeatureFlagIdsplusSourceModuleId, addsIBehaviorTopologyBuilder.RequireFeatureFlag(...)/RequireFeatureFlags(...), and exposesBehaviorFeatureDisabledException;Cephalon.Behaviorsnow preserves those feature gates through owned-registration module identity, source-generated topology literals, sharedIFeatureToggleevaluation middleware, and runtime-surface metadata soBehaviorRuntimeContributorcan report both feature-gated behavior counts and per-behavior ownership truth;Cephalon.Behaviors.Httpnow projects the same gates through module-owned REST helpers plus JSON-RPC with truthful404/-32004behavior, while messaging bindings treat disabled executions as skipped instead of retryable failures — issue #503; targeted composition tests 44/44 plus hosting tests 2/2 plus package-surface tests 157/157 (Sprint 36)
Exit criteria:
- behaviors compose across multiple transports and patterns through a single dispatch model
- transport bindings stay additive through companion packages
- pattern execution strategies are selectable per behavior through configuration
- source generator catches mismatches at build time rather than runtime
Phase 10: Non-relational provider baseline
Section titled “Phase 10: Non-relational provider baseline”Status: done
Goal: prove the companion-pack data provider pattern across all major non-relational store categories without changing Cephalon.Engine or Cephalon.Abstractions.
Delivered:
- 9 non-relational provider families shipped across Sprints 25–31:
- MongoDB (document-store) — Sprint 25, 599/599 tests
- Redis (key-value-store) — Sprint 26, 607/607 tests
- Neo4j (graph-store) — Sprint 27, 615/615 tests
- Cassandra (wide-column-store) — Sprint 28, 624/624 tests
- ClickHouse (analytics-store) — Sprint 29, 632/632 tests
- Elasticsearch (search-store) — Sprint 30, 640/640 tests
- OpenSearch (search-store) — Sprint 30
- Qdrant (vector-store) — Sprint 31, 648/648 tests
- NATS (ledger-store) — Sprint 31
- each provider family delivers both
Cephalon.Data.{Provider}andCephalon.EventSourcing.{Provider}companion packages (18 packages total) - full component-guide documentation for all 18 packages
- test assembly split into 4 focused assemblies (Infrastructure Phase 2):
Cephalon.Tests.Composition(327),Cephalon.Tests.Hosting(200),Cephalon.Tests.Tooling(121)
Exit criteria:
- every major store category (document, key-value, graph, wide-column, analytics, search, vector, ledger) has a Cephalon-supported
IOutbox/IInbox/IEventStoreimplementation - no changes to
Cephalon.EngineorCephalon.Abstractionswere required - all companion packs follow the same module/registration/capability pattern established by
Cephalon.Data.EntityFramework
Cross-cutting follow-through: Database topology and durable audit history
Section titled “Cross-cutting follow-through: Database topology and durable audit history”Status: in progress
Goal: separate physical database role topology, migration targeting, and durable audit-history routing from the logical Engine:Data app-model slice so one Cephalon codebase can move between single-database, split read/write, dedicated outbox, and dedicated history layouts through configuration and additive companion packs.
Target: Sprint 31–33
Planned deliverables:
ENG-060engine-ownedEngine:Databasestopology contract with named roles such asWrite,Read, andHistory- runtime introspection for active database roles and topology answers through a dedicated catalog plus
/engine/snapshot ENG-061role-aware relational follow-through soCephalon.Data.EntityFrameworkconsumes database-role topology instead of inventing a separate physical-layout model- migration targeting that references named roles, keeps startup apply explicit, and treats bundle/script-based deployment as the production path
ENG-062durable audit-history follow-through that keepsCephalon.Auditnarrow while letting a first provider-backed store target a named database roleENG-063durable audit-history reader, retention, and operator-surface follow-through on top of the first provider-backed storeENG-064durable audit-history export follow-through on top of the same provider-backed storeENG-066engine-owned database-role catalog and operator surface on top of the raw topology contract
Current truth:
- the initial
ENG-060baseline is now shipped:Engine:Databasesprojects intoEngineSettings,AppProfile.Databases,/engine/databases,/engine/app-model, and/engine/snapshot ENG-061is now shipped:Cephalon.Data.EntityFrameworkconsumes the engine-ownedwriteand optionalreadroles directly, exposes role and migration metadata through the runtime surface, and can execute startup schema apply for those registeredDbContextroles through a generic-host hosted serviceENG-062is now shipped:Cephalon.Audit.EntityFrameworkconsumesEngine:Audit:Historyplus the selected engine-owned database role named byEngine:Audit:History:DatabaseRole, publishes durable audit-store metadata, and proves the topology in the showcase sample with dedicatedwrite,read, andhistorydatabases for Docker-backed runs while still allowing isolated in-memory role overrides for zero-setup local and test runsENG-063is now shipped: durable audit history now also includesEngine:Audit:History:Retention, a host-agnosticIAuditHistoryReader,/engine/audit-history, and showcase-facing audit-history endpoints over the same durable storeENG-064is now shipped: durable audit history now also includesEngine:Audit:History:Export, a host-agnosticIAuditHistoryExporter,/engine/audit-history/export, and showcase-facing NDJSON export endpoints over the same durable storeENG-065is now shipped: dependentOutbox/Historyroles can explicitly reusewritethroughUseRole, and runtime metadata now reports requested versus resolved roles for the first truthful role-reference baselineENG-066is now shipped: the engine now exposes a first-class resolved database-role catalog throughIDatabaseRoleCatalog,/engine/database-roles,/engine/database-roles/{databaseRoleId}, andsnapshot.DatabaseRoles, including co-location, consumers, and audit-history metadataENG-067is now shipped: the engine now exposes a first-class database-migration catalog throughIDatabaseMigrationCatalog,/engine/database-migrations,/engine/database-migrations/{databaseMigrationId}, andsnapshot.DatabaseMigrations, while the showcase sample now keeps the same surfaces active outside Docker through unique in-memory fallback roles and keeps separatewrite,read, andhistorymigration targets truthful for Docker-backed runsENG-068is now shipped: the engine-owned database-role catalog now carries live provider-contributed health and migration diagnostics, dependentUseRoletargets can inherit resolved-role runtime truth, and the migration catalog now also carries provider-added deploy-time command templates throughDatabaseMigrationCommandDescriptor;Cephalon.Data.EntityFrameworkpublishes both live probe metadata and bundle/script/update guidance, the command descriptor now also carries typed operator metadata for tool/category/working-directory fields so consumers do not have to infer those reusable semantics only from metadata keys,DatabaseMigrationDescriptornow carries a typedRecommendedExecutionOrderso operator playbooks can reuse one engine-owned migration sequence, and the same descriptor now also mirrors resolved-role runtime truth through typed role-health, role-migration, and observed-at fields so hosts do not need metadata-only parsing for stable engine-owned answers. The showcase sample now keeps that truth visible end to end through the runtime snapshot plus/api/v1/showcase/system/database-topology, including sample-level operator insights that point back to the raw engine routes, richer migration-command guidance in/showcase, explicit migration runtime notes in the operator projection, additive repo-root runnable commands for the showcase sample, an ordered sample migration playbook driven by the engine-published order hints, a top-level sample readiness summary, an ordered operator action plan,/api/v1/showcase/system/database-topology/briefas a shareable Markdown operator handoff, and/api/v1/showcase/system/database-topology/handoffas a downloadable self-describing package with a package README plus machine-readable manifest without redefining the engine contractENG-086is now shipped:Engine:Databases:RuntimeplusAppProfile.Databases.Runtimenow exposeRoleProbeFreshnessSeconds, role-resolution merges keep shared and role-specific freshness overrides truthful across direct roles and dependentUseRoletargets,Cephalon.Data.EntityFrameworknow uses that engine-owned contract to cache probe results with explicitprobeSource,probeFreshnessOrigin,probeFreshUntilUtc, andprobeAgeSecondsmetadata while invalidating cached answers when migration runtime state changes, and the showcase sample now keeps that live-versus-cached truth visible in/api/v1/showcase/system/database-topologyplus/showcasewithout inventing sample-only rulesENG-087is now shipped: the engine-owned database-role contract now also exposes a typedDatabaseRoleProbeDescriptorthroughDatabaseRoleRuntimeDescriptor.ProbeplusDatabaseRoleDescriptor.Probe,Cephalon.Data.EntityFrameworknow projects stable cache/freshness/source timing through that typed surface while keeping runtime metadata for additive provider details and compatibility, and the showcase sample now consumes the typed probe contract directly in its operator projection/UI instead of parsing stableprobe*metadata keys locallyENG-088is now shipped:Cephalon.Abstractionsnow exposes an engine-owned database-topology operational snapshot contract,Cephalon.Enginenow publishes/engine/database-topologyplussnapshot.DatabaseTopologyas the canonical operator posture summary, advisory, and ordered action-plan surface across role health, migration status, and production-guidance completeness, and the showcase sample now consumes that engine-owned answer directly for readiness and core advisories while keeping read-model drift/backlog follow-through sample-specificENG-089is now shipped: the showcase sample now consumes the engine-owned database-topology action-plan contract directly instead of rebuilding engine role or migration remediation locally, preserves stable action categories plus source role and migration ids in the operator projection/UI/brief, and the docs plus package-surface coverage now describe that shared contract truthfullyENG-090is now shipped:Cephalon.Abstractionsnow exposesDatabaseMigrationOperationalPlaybook,DatabaseMigrationOperationalStep, andIDatabaseMigrationOperationalPlaybookProvider,Cephalon.Enginenow publishes/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybookas the canonical ordered migration answer over the lower-level migration catalog, and the showcase sample now consumes that engine-owned playbook directly while keeping repo-root runnable command adaptation and read-model follow-through sample-specific instead of re-deriving migration sequencing locallyENG-091is now shipped: the engine-owned database-role catalog now exposes stable physical-target identity plus physical co-location, the engine-owned migration playbook plus topology posture now expose coordination counts, per-step partner targets, and shared-target warning/action guidance when pending or failed logical migration work spans one physical database, and the showcase sample now consumes that engine-owned shared-database truth directly in its operator projection, browser UI, Markdown brief, and handoff packageENG-092is now shipped:DatabaseMigrationOperationalPlaybooknow also carries engine-owned physical-target execution groups with aggregate status, grouped migration ids, coverage counts, and shared-target coordination hints,Cephalon.Enginenow projects that grouped answer through/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybook, and the showcase sample now consumes that grouped engine-owned answer directly in its operator projection, browser UI, Markdown brief, and handoff packageENG-093is now shipped:DatabaseMigrationOperationalExecutionGroupnow also carries grouped production and manual command sets throughDatabaseMigrationOperationalExecutionGroupCommand,Cephalon.Enginenow projects that grouped command answer through/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybook, and the showcase sample now consumes that grouped engine-owned command answer directly in its operator projection, browser UI, Markdown brief, and handoff packageENG-094is now shipped:DatabaseMigrationOperationalExecutionGroupnow also carries combined production and manual command-batch templates throughDatabaseMigrationOperationalExecutionGroupCommandBatch,Cephalon.Enginenow projects that combined batch answer through/engine/database-migration-playbookplussnapshot.DatabaseMigrationPlaybook, and the showcase sample now consumes that combined engine-owned batch answer directly in its operator projection, browser UI, Markdown brief, and handoff packageENG-069is now shipped: host-agnostic event-dispatch runtime descriptor and state contracts now live inCephalon.Abstractions,/engine/snapshotnow carriesEventDispatchRuntimesplusEventDispatchStates, ASP.NET Core now exposes/engine/event-dispatch-runtimesand/engine/event-dispatches, and the showcase sample now wiresCephalon.Eventing.Wolverineso the official managed dispatch path is visible end to end through the new operator surfacesENG-070is now shipped: the engine now carries first-class outbox dispatch-policy answers throughOutboxDescriptor.DispatchPolicyplusIOutboxDispatchPolicyCatalog,/engine/outboxesnow distinguishesdisabled,consumer-managed, and runtime-managed ownership truthfully, managed dispatch runtimes explicitly declare their owned outbox ids, and the eventing/Wolverine surfaces plus showcase sample now stay consistent with the same policy answer end to endENG-071is now shipped: dispatch-runtime descriptors now carry a canonical aggregateSummary,/engine/event-dispatch-runtimesplussnapshot.EventDispatchRuntimesnow expose that live-enriched answer directly, thewolverine-adapterand shared eventing runtime surfaces reuse the same summary instead of re-aggregating dispatch state independently, and MongoDB, Redis, Elasticsearch, and OpenSearch now join Entity Framework in exposingIEventDispatchStorefor staged outboxes so the managed-dispatch contract is no longer relational-onlyENG-072is now shipped: Neo4j and Qdrant now also expose provider-nativeIEventDispatchStorebaselines for staged outboxes, so graph-store and vector-store workloads join the same consumer-managed or adapter-managed dispatch path without relaying through a relational bridge, while Cassandra, ClickHouse, and NATS remained explicit storage-model follow-through work at that point rather than hidden parity gapsENG-073is now shipped: NATS JetStream KV now also exposes a provider-nativeIEventDispatchStorebaseline for staged outboxes by persisting mutable staged-message records in the same bucket, so ledger-store workloads join the same consumer-managed or adapter-managed dispatch path while Cassandra and ClickHouse remained explicit storage-model follow-through work at that pointENG-074is now shipped: Cassandra now also exposes a provider-nativeIEventDispatchStorebaseline for staged outboxes by combining the authoritativeoutbox_messagesrow with a deterministic message-shardedoutbox_pending_dispatcheligibility table, so wide-column workloads join the same consumer-managed or adapter-managed dispatch path without relaying through a relational bridge while ClickHouse remains the one deliberate storage-model follow-through gapENG-075is now shipped: ClickHouse now stays explicit about the opposite truth, keeping itsReplacingMergeTreeoutbox staging-only while publishingDispatchPolicy.PolicyId = unsupportedwithExecutionMode = disabledplus provider-specific reason metadata so/engine/outboxes,event-dispatches, and the runtime snapshot stop collapsing that deliberate storage-model boundary into a generic “not configured” answer- the remaining phase-10 work is now broader provider consumption where the storage model stays truthful, broader role graphs beyond
UseRole -> write, additional managed-dispatch providers beyond the current Wolverine path, bundle/script generation or execution orchestration, richer provider-native telemetry beyond the current live-versus-cached probe baseline, and replay follow-through plus richer export formats for durable history
Exit criteria:
- a consumer app can keep one Cephalon codebase and move between shared-db and split-db layouts through config and additive pack wiring
- database topology, migration targeting, and durable audit-history state are all introspectable instead of hidden in host startup code
- provider packs stay additive because the engine owns the role and migration contract instead of one pack becoming the de facto source of truth
- optional convenience
DbContextbase classes, if they appear later, remain thin DX helpers rather than the primary engine contract
Recommended implementation order
Section titled “Recommended implementation order”Updated priority order as of April 18, 2026:
- start phase 7 with
ENG-033cross-platform validation and shell parity so the shipped build, test, publish, and install flows stop assuming Windows-specific shell behavior - follow immediately with
ENG-034first-run adoption and environment-doctor work so external teams have one clear install, validation, and runtime-smoke path ENG-035is now complete, so Cephalon’s package-manifest, trust, provenance, and runtime-introspection story is exercised outside this repository through the staged external package flowENG-036is now complete, so Docker Desktop / WSL users have a reproducible modular monolith sample deployment that preserves the shipped runtime, health, and OTLP collector pathENG-037is now complete, so newly scaffolded apps carry the documented package-source bootstrap needed to restore, build, and follow the container path without repo-only package-feed knowledgeENG-038is now complete, so newly scaffolded apps also carry a deterministic folder-publish profile and a validated published-output smoke path that runs outside the repo tree once the supported package source is seeded or repointedENG-039is now complete, so newly scaffolded apps also carry Linuxsystemdinstall assets and a validated WSL verification path that closes the self-hosted service-manager gap after publishENG-040is now complete, so newly scaffolded apps also carry Windows Service install assets and a validated install-preview path that closes the self-hosted Windows service-manager gap after publishENG-041is now complete, so newly scaffolded apps also carry IIS install assets and a validated ANCM/published-output preview path that closes the hosted Windows deployment gap after publishENG-042is now complete, so newly scaffolded apps also carry Azure App Service ZIP-deploy assets and a validated run-from-package preview path that closes the hosted Azure deployment gap after publishENG-043is now complete, so newly scaffolded apps also carry Azure Container Apps source-deploy assets and a validated Dockerfile plus Azure CLI preview path that closes the hosted Azure container deployment gap from the generated app rootENG-044is now complete, so newly scaffolded apps also carry Kubernetes manifest/apply assets and a validated Dockerfile pluskubectl kustomizepreview path that closes the platform-neutral cluster deployment gap from the generated app rootENG-045is now complete, so newly scaffolded apps also carry provider-neutral container-image build/tag/push assets and a validated local-registry smoke path that closes the remaining image-publication gap between local Dockerfile validation and hosted container deployment targetsENG-097is now complete, so the repo has an explicit.NET 11readiness lane, a dedicated readiness script, truthful deployment-mode claim language, and a higher-SDK workflow path before any default-target migration is considered- keep phase 6 in
later / Todountil another explicit cloud or platform target becomes adoption-driven beyond the shipped self-hosted, Azure Monitor, AWS, GCP, Huawei Cloud, Alibaba Cloud, Oracle Cloud, Red Hat OpenShift, DigitalOcean, VMware Tanzu, Kubernetes, Cloudflare/custom-provider guidance, Grafana Cloud, and New Relic baseline - future solution-level expansion only when an explicit adoption scenario needs it
- open phase 8 with
ENG-046,ENG-047, andENG-048so ids, structured config sections, and host-agnostic contracts freeze before package implementations or template defaults drift - follow with
ENG-049andENG-050so Cephalon proves a relational Entity Framework plus CQRS plus outbox plus eventing golden path before it claims broader provider breadth - then deliver
ENG-051,ENG-052, andENG-053so identity/authorization, multi-tenancy/audit, and CLI/scaffolding/template/sample follow-through land on the same frozen phase-8 contract - then deliver
ENG-055andENG-056so benchmarks, validation, docs, XML comments, and reference-doc alignment prove the phase-8 claims before the repo widens the public story ENG-054Track 1 (non-relational providers) andENG-057(event-sourcing follow-through) are now complete; keep hybrid-cloud, service-mesh, and serverless expansion as explicit later slices until an adopter needs them beyond the proven golden path- open phase 11 with resilience foundation (circuit breaker, retry/timeout/bulkhead, rate limiting) plus
onion-architectureandanti-corruption-layerpattern descriptors so production microservice deployments have configuration-driven fault tolerance - follow with phase 12 for migration and advanced coordination (strangler fig, saga choreography, BFF pattern, feature flags, durable execution) so enterprise adoption and distributed coordination stories are complete
- then phase 13 for next-generation patterns (cell-based architecture, data mesh, CDC) when explicit adoption scenarios justify the investment
Phase 11: Resilience Foundation
Section titled “Phase 11: Resilience Foundation”Status: in progress
Goal: add production-critical resilience infrastructure so consumer microservices can handle cascading failures, transient faults, and traffic spikes through configuration-driven policies.
Target: Sprint 36–37
Shipped baseline:
onion-architecturepattern descriptor inBuiltInPatterns.csfor taxonomy completeness alongside Clean and Hexagonalanti-corruption-layerpattern descriptor inBuiltInPatterns.csfor explicit DDD integration boundary supportEngine:Resilienceconfiguration section covering contract-firstRetry,Timeout,CircuitBreaker,Bulkhead, andRateLimitingpolicy intent- projection of that requested contract into
EngineSettings,AppProfile.Resilience,/engine/app-model, and/engine/resilience - ASP.NET Core public-HTTP rate limiting wired through
Microsoft.AspNetCore.RateLimiting,/engine/rate-limiting, andsnapshot.RateLimitingPolicieswith operator/docs route exclusions - additive
Engine:Resilience:RateLimiting:Overridesmodeling projected intoAppProfile.Resilienceso ASP.NET Core hosts can resolve endpoint-scoped behavior and transport overrides with truthful runtime/OpenAPI answers - built-in ASP.NET Core GraphQL route split across
/graphql,/graphql/schema,/graphql-sse, and/graphql-wsunder the sameApiRoutes:Prefixescontract, with/engine/rate-limitingnow publishingtransportKind,transportSemantics,enforcementMoment, andlongLivedTransportIdsfor long-lived transport policies - shared behavior-dispatch resilience now enforces retry, timeout, circuit-breaker, bulkhead, and rate limiting through
Cephalon.Behaviors,/engine/behavior-resilience, andsnapshot.BehaviorResiliencePolicies - additive
Engine:Resilience:BehaviorExecution:Overridesmodeling projected intoAppProfile.ResiliencesoCephalon.Behaviorscan resolve behavior-scoped, transport-scoped, and behavior+transport retry/timeout/circuit-breaker/bulkhead/rate-limiting overrides with explicit disable answers and truthful/engine/behavior-resilienceplus REST/OpenAPI status metadata - showcase sample configuration now demonstrates the same resilience contract in grouped
Configurations/Engine/Resilience/*files
Remaining follow-through:
- broader non-REST transport-native resilience-envelope semantics beyond the current ASP.NET Core public-HTTP plus shared behavior-dispatch
429/503baseline for rate limiting, timeout, and circuit breaker - capabilities:
resilience.circuit-breaker,resilience.retry,resilience.timeout,resilience.bulkhead,resilience.rate-limiting
Exit criteria:
- a consumer app can configure per-behavior resilience policies through
Engine:Resiliencewithout writing custom middleware - the requested and effective resilience contract remains introspectable through
AppProfile.Resilience,/engine/resilience,/engine/rate-limiting, and/engine/snapshot - default and scoped behavior-execution timeout, circuit-breaker, bulkhead, and rate-limiting policies can be configured through
Engine:ResilienceplusEngine:Resilience:BehaviorExecution:Overrideswithout custom dispatch glue - health probes and circuit breakers compose together to prevent cascading failures
- ASP.NET Core HTTP rate limiting can be configured per behavior or per transport
Phase 12: Migration and Advanced Coordination
Section titled “Phase 12: Migration and Advanced Coordination”Status: in progress
Goal: expand the distributed coordination story with choreography-based sagas, incremental migration support, progressive delivery, and durable execution foundations.
Target: Sprint 38–40 follow-through
Planned deliverables:
strangler-figpattern descriptor plus the first host-agnostic runtime-contract baseline (IStranglerFigRouteContributor,IStranglerFigRuntimeCatalog,IStranglerFigRouter,/engine/strangler-fig, andsnapshot.StranglerFigRoutes) for incremental migration from legacy systems are now shipped- the first configuration-driven strangler-fig migration-policy overlay is now also shipped through
Engine:Migration:StranglerFig,IStranglerFigMigrationRuntimeCatalog,/engine/strangler-fig/runtime, andsnapshot.StranglerFigRoutePolicies - the first ASP.NET Core host-level cutover runtime is now also shipped through
Engine:Migration:StranglerFig:AspNetCore,/engine/strangler-fig/cutover, and/engine/strangler-fig/cutover/resolve, with rooted local selections rewritten in-process, absolute HTTP or HTTPS selections redirected or proxied, and unsupported selected endpoints rejected truthfully with502while broader traffic-manager or ingress follow-through remains planned backend-for-frontendpattern plus the host-agnostic client-binding runtime, the client-aware REST filtering runtime, and the first REST documentation/materialization baseline (BackendForFrontendClientBindingDescriptor,IBackendForFrontendRuntimeCatalog,IBackendForFrontendRestRuntimeCatalog,BackendForFrontendRestDocumentRuntimeDescriptor,/engine/backend-for-frontend,/engine/backend-for-frontend/rest-endpoints,/engine/backend-for-frontend/rest-documents, and the matching snapshot fields) are now shipped, while broader non-REST frontend-materialization remains later follow-through- the first host-agnostic saga choreography baseline is now also shipped through
IBehaviorTopologyBuilder.AsSagaChoreography(), source-generatedsaga-choreographyliterals,ISagaChoreographyPublisher,SagaChoreographyPublication,SagaChoreographyStepResult,InMemorySagaChoreographyPublisher,ChoreographySagaExecutionStrategy, capabilitybehaviors.saga-choreography, and advisoryABT-005; the explicit eventing bridge follow-through is now also shipped throughCephalon.Eventing.Behaviors,AddBehaviorEventingBridge(), capabilityeventing.behaviors.saga-choreography, and thesaga-choreography-bridgesruntime surface; the first higher-level authoring-helper follow-through is now also shipped throughISagaChoreographyStepResult,ISagaEventReactor<TEvent>,ISagaEventReactor<TEvent, TOutput>,SagaChoreographyStepResult<TOutput>, and typed JSON publication helpers onSagaChoreographyPublication; the first static choreography runtime/operator follow-through is now also shipped throughSagaChoreographyRuntimeDescriptor,ISagaChoreographyRuntimeCatalog,snapshot.SagaChoreographies, and/engine/saga-choreographies; the first live publication-state follow-through is now also shipped throughSagaChoreographyPublicationRuntimeState,ISagaChoreographyPublicationRuntimeStateCatalog,snapshot.SagaChoreographyPublicationStates, and/engine/saga-choreographies/runtime*; and the module-backed capabilitiesbehaviors.saga-choreography.runtime-catalogandbehaviors.saga-choreography.publication-stateare now also shipped whenAddBehaviorPatterns()activates the shared runtime surfaces - the first feature-flag runtime baseline is now shipped through
FeatureFlagDescriptor,FeatureFlagTargetingDescriptor,IFeatureToggle,IFeatureFlagRuntimeCatalog,IFeatureFlagContributor,Engine:Features,/engine/features,/engine/features/{featureFlagId}/evaluate, andsnapshot.FeatureFlags; the generic external-provider bridge baseline is now also shipped throughFeatureFlagProviderBindingDescriptor,FeatureFlagProviderEvaluationResult,IFeatureFlagProvider,FeatureFlagDescriptor.ProviderBindings,Engine:Features:Flags:*:ProviderBindings, andengine.AddFeatureFlagProvider(...); the first shared behavior-execution follow-through is also now shipped throughBehaviorTopologyDescriptor.RequiredFeatureFlagIds,IBehaviorTopologyBuilder.RequireFeatureFlag(...),BehaviorFeatureDisabledException, shared behavior-pipeline evaluation, source-generated topology literals, and runtime metadata, while provider-specific companion-pack integrations and any future capability publication remain later follow-through - the first durable-execution baseline is now also shipped through
IBehaviorTopologyBuilder.AsDurableExecution(), source-generateddurable-executionliterals,IDurableExecution<TState>,IDurableExecution<TInput, TState, TOutput>,DurableExecutionState<TState>,DurableExecutionStepResult<TOutput>,DurableExecutionStrategy, capabilitybehaviors.durable-execution, and compatibility ruleABT-006; the first durable runtime/operator follow-through is now also shipped throughDurableExecutionRuntimeDescriptor,IDurableExecutionRuntimeCatalog,/engine/durable-executions, andsnapshot.DurableExecutions, and the first durable live-state/failure-posture follow-through is now also shipped throughDurableExecutionRuntimeState,IDurableExecutionRuntimeStateCatalog,/engine/durable-executions/runtime, andsnapshot.DurableExecutionStates; the first durable timer/signal coordination follow-through is now also shipped throughDurableExecutionPendingTimer,DurableExecutionPendingSignal,/engine/durable-executions/runtime/timers*, and/engine/durable-executions/runtime/signals*; the first durable compensation-helper follow-through is now also shipped throughDurableExecutionCompensationAction,/engine/durable-executions/runtime/compensations*, and additive compensation-action metadata onDurableExecutionStepResult<TOutput>plusDurableExecutionRuntimeState, while any future auto-executing durable recovery remains later follow-through
Exit criteria:
- a consumer app can migrate incrementally from a legacy system using the strangler fig router
- sagas can coordinate through events (choreography) in addition to state (orchestration)
- feature flags can gate behavior, module, transport, environment, tenant, subject, or tag-scoped
availability through
IFeatureToggleandEngine:Features - durable execution workflows survive process restarts through replay semantics backed by
IEventStore - operators can inspect active durable workflows, ownership, transports, rollout gates, typed replay contract shape, and current per-stream durable posture through engine-owned runtime catalogs
Phase 13: Next-Generation Patterns
Section titled “Phase 13: Next-Generation Patterns”Status: in progress
Goal: add differentiation-grade patterns that position CephalonEngine for the next generation of distributed application architecture.
Target: Sprint 40–41
Shipped baseline:
-
ENG-120now ships the first cell-based architecture boundary baseline through the built-incell-based-architectureprofile,CellBoundaryDescriptor,ICellBoundaryContributor,ICellBoundaryCatalog,engine.AddCellBoundary(...),/engine/cells*,snapshot.CellBoundaries, and thecell-boundariestechnology runtime surface; active boundaries now auto-select the profile while preserving module ownership in one runtime truth -
ENG-121now extends that same phase-13 runtime truth withCellRouteDescriptor,ICellRouteContributor,ICellRouteCatalog,engine.AddCellRoute(...),/engine/cell-routes*,snapshot.CellRoutes, and thecell-routestechnology runtime surface; active routes validate against the same boundary/module ownership graph instead of introducing a second host-only traffic registry -
ENG-122now extends that same phase-13 runtime truth withCellHealthIsolationDescriptor,ICellHealthIsolationContributor,ICellHealthIsolationCatalog,engine.AddCellHealthIsolation(...),/engine/cell-health-isolations*,snapshot.CellHealthIsolations, and thecell-health-isolationstechnology runtime surface; active health-isolation answers validate module ownership against the same boundary graph instead of inventing a host-only health partition registry -
ENG-123now extends that same phase-13 runtime truth withEngine:Cells:TrafficAutomation,CellSettings,CellTrafficAutomationSettings,CellTrafficAutomationRouteSettings,ICellTrafficAutomationRuntimeCatalog,/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, and thecell-traffic-automationstechnology runtime surface; effective automation answers stay derived from the existing route plus health-isolation graph so module ownership remains authoritative instead of inventing a second host-only traffic manager -
ENG-124now ships the first data mesh runtime baseline throughIDataProduct<T>,DataProductDescriptor,IDataProductCatalog,IDataProductContributor,IDataProductRegistry,/engine/data-products*, andsnapshot.DataProducts; queryable data-product ownership now stays module-backed throughsourceModuleId,domainId,contractId, andmodeinstead of requiring a host-only catalog or provider-specific runtime surface -
ENG-125now ships the first CDC capture runtime baseline throughICdcCapture,CdcCaptureDescriptor,ICdcCaptureCatalog,ICdcCaptureContributor,ICdcCaptureRegistry,/engine/cdc-captures*, andsnapshot.CdcCaptures; CDC capture ownership now stays module-backed throughsourceModuleId,provider,sourceId,outboxId,mode,eventFormat,resourceIds, and metadata while engine composition validates referenced source modules and outboxes instead of inventing a host-only sync registry -
ENG-126now extends that same phase-13 runtime truth withCdcCaptureRuntimeState,ICdcCaptureRuntimeStateCatalog,/engine/cdc-captures/runtime*, andsnapshot.CdcCaptureStates; live CDC runtime answers now stay descriptor-backed, carry latest-plus-total capture metrics plus checkpoint/error metadata, and can merge linkedOutboxDispatchStatefrom the existing event-dispatch runtime truth instead of inventing a second host-only publish-state registry -
ENG-127now extends that same phase-13 runtime truth again withCdcCaptureFreshnessStatus,CdcCaptureLagStatus,CdcCapturePublicationStatus, and the matching typed runtime-state fields onCdcCaptureRuntimeState; provider/runtime reporters can now publish freshness windows, lag posture, pending source-change counts, and pending publication counts while the shared catalog applies a conservative linked-dispatch publication overlay through the same/engine/cdc-captures/runtime*plussnapshot.CdcCaptureStatessurface -
ENG-128now adds the first shared CDC hosted-execution substrate throughCdcCaptureExecutionResult, stableICdcCapture.CdcCaptureIdplusIOutbox.OutboxIdbindings, thedata.cdc.executioncapability, thedata-cdc-capture-flowexecution graph, thedata-cdc-capture-pumphosted execution, and shared in-process outbox staging/reporting through the existing execution/runtime-story surfaces without replacing module-owned capture descriptors or runtime-state truth -
ENG-129now closes the shared replay-safe CDC checkpoint-commit follow-through throughCdcCaptureExecutionAcknowledgement,ICdcCaptureAcknowledger, theacknowledge-cdc-progressnode insidedata-cdc-capture-flow, post-stageacknowledgementplusacknowledgerServiceTypemetadata on success, and truthfulfailureKind = acknowledgementplus pending checkpoint/change-id metadata when provider acknowledgement fails after staging -
ENG-130now adds the first CDC execution-runtime catalog baseline throughCdcCaptureExecutionRuntimeDescriptor,CdcCaptureExecutionRuntimeSummary,ICdcCaptureExecutionRuntimeCatalog,/engine/cdc-capture-runtimes*, andsnapshot.CdcCaptureExecutionRuntimes; the shareddata-cdc-capture-pumpruntime now publishes one operator-facing ownership/topology answer with linked capture ids plus an aggregate summary derived from the shared CDC runtime-state catalog instead of leaving runner topology implicit in host-specific execution metadata -
ENG-131now closes the first CDC execution-ownership binding baseline throughCdcCaptureExecutionBindingDescriptor,ExecutionBindingonCdcCaptureDescriptorplusCdcCaptureRuntimeState, deterministic capture-to-runtime binding resolution,/engine/cdc-captures/execution-runtimes/{executionRuntimeId},/engine/cdc-captures/runtime/execution-runtimes/{executionRuntimeId}, and shared-pump filtering that executes only captures effectively owned bydata-cdc-capture-pump -
ENG-132now adds the first external execution-runtime declaration baseline through first-class execution runtime ownership/topology fields, inverseGetByExecutionRuntimeId(...)lookups on the shared CDC catalogs,DataRuntimeOptions.CdcExecutionRuntimes,CdcCaptureExecutionRuntimeOptions, and the same/engine/cdc-capture-runtimes*plus inverse capture/runtime drill-down routes, so configured external-managed or provider-native runtimes can join the shared operator story without pretending Cephalon hosts them -
ENG-133now proves the first concrete provider-native CDC runner throughCephalon.Data.MongoDB,MongoDbChangeStreamCaptureOptions,mongodb-change-stream-capture-flow,mongodb-change-stream-capture-pump, resume-token checkpoints, and preserved authoredsourceModuleIdtruth with separatecontributorModuleIdmetadata when the provider pack contributes on another module’s behalf -
ENG-134now adds the first out-of-process CDC live-reporting baseline throughCdcCaptureRuntimeObservation,ICdcCaptureExecutionRuntimeReportSink,DataRuntimeOptions.EnableExternalCdcRuntimeReporting, andPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, so external execution runtimes can publish live posture back into the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces while capture ownership still stays grounded inExecutionBinding -
ENG-135now extends the first cell traffic-automation baseline with provider-aware and edge-aware targeting through first-classproviderIdplusedgeNodeIds, additiveEngine:Cells:TrafficAutomationdefaults and route overrides, derived materialization posture,/engine/cell-traffic-automations/providers/{providerId},/engine/cell-traffic-automations/edge-nodes/{edgeNodeId}, and the samesnapshot.CellTrafficAutomationspluscell-traffic-automationstechnology surface instead of inventing a second traffic registry -
ENG-136now adds the first provider-managed cell traffic materializer baseline throughICellTrafficAutomationProviderMaterializer,CellTrafficAutomationProviderMaterializationResult,CellTrafficAutomationProviderMaterializationStates, startup reconciliation over the sharedCellTrafficAutomationRuntimeCatalogSnapshot, and additiveproviderMaterializerIdplusproviderMaterializationState/ObservedAtUtc/Errorfields onCellTrafficAutomationRuntimeDescriptor, so provider-managed or provider-and-edge-managed routes can publish selected materializer ownership and latest reconciliation posture through the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-traffic-automationstechnology surface without inventing a second traffic-materialization registry -
ENG-137now adds the first edge-runtime cell traffic materializer baseline throughICellTrafficAutomationEdgeMaterializer,CellTrafficAutomationMaterializationResult,CellTrafficAutomationMaterializationStates, startup reconciliation over the sharedCellTrafficAutomationRuntimeCatalogSnapshot, and the first concreteedge-runtime-materializerinCephalon.Edge, soedge-managedorprovider-and-edge-managedroutes can publish selected edge materializer ownership and latest reconciliation posture through the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-traffic-automationstechnology surface without inventing a second traffic-materialization registry -
ENG-138now hardens richer multi-provider reconciliation on that same shared traffic catalog throughPriorityplusCanMaterialize(...)selection inputs on provider and edge materializers, highest-priority match resolution with ambiguous tie failures, additivematerializationState/materializationObservedAtUtc/materializationErroronCellTrafficAutomationRuntimeDescriptor, and selection-rationale metadata such as matching-candidate counts plus state breakdown, soprovider-managed,edge-managed, andprovider-and-edge-managedroutes publish requested, selected, and observed truth on the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-traffic-automationstechnology surface without inventing a second reconciliation registry -
ENG-139now proves the first provider-specific control-plane materializer on that same shared traffic catalog throughCephalon.Edge.KubernetesGateway,KubernetesGatewayTrafficMaterializerOptions,KubernetesGatewayTrafficRouteOptions,AddKubernetesGatewayTrafficMaterializer(...), and thekubernetes-gateway-traffic-materializationstechnology surface; selectedprovider-managedroutes can now publish deterministic Kubernetes Gateway APIGatewayplusHTTPRouteintent metadata such asproviderRouteId, parent/backend references, controller identity, and truthfulstatusSource = configured-intentplaceholders on the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-based-architectureruntime story without inventing a second control-plane registry or pretending the pack already performs live cluster reconciliation -
ENG-140now layers the first live Kubernetes Gateway API reconciliation baseline on top of that same projected-intent pack:Cephalon.Abstractionsnow shipsICellTrafficAutomationMaterializationReportSink,Cephalon.Enginenow lets provider and edge observers merge live materialization answers back into the same sharedCellTrafficAutomationRuntimeCatalogSnapshot, andCephalon.Edge.KubernetesGatewaynow addsKubernetesGatewayTrafficObservationOptionsplusobserve-onlymode so selected routes can publish liveGateway/HTTPRoutecondition truth, freshness windows, and drift posture through/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andkubernetes-gateway-traffic-materializationswithout a second registry -
ENG-141now hardens that same pack with the first Kubernetes Gateway apply-and-reconcile baseline:KubernetesGatewayTrafficObservationModesnow addsapply-and-reconcile,configured-intentnow keeps the shared provider state truthfullypending,Cephalon.Edge.KubernetesGatewaynow applies only ownedHTTPRouteresources while treatingGatewayas a pre-provisioned dependency, and the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andkubernetes-gateway-traffic-materializationssurfaces now publish ownership-aware write results together with reconciledGatewayplusHTTPRoutestatus instead of inventing a second control-plane registry -
ENG-142now proves the same provider-materializer seam against a second control-plane family throughCephalon.Edge.Traefik,TraefikTrafficMaterializerOptions,TraefikIngressRouteOptions,TraefikMiddlewareReferenceOptions,AddTraefikTrafficMaterializer(...), and thetraefik-ingressroute-traffic-materializationstechnology surface; selectedprovider-managedroutes can now publish deterministic TraefikIngressRouteintent metadata such asproviderRouteId, entry points, match rules, middleware references, backend service references, and TLS posture on the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andcell-based-architectureruntime story without inventing a second control-plane registry or pretending the pack already performs live Traefik reconciliation -
ENG-143now hardens broader control-plane ownership lifecycle truth on that same shared traffic catalog throughCellTrafficAutomationOwnershipStates,CellTrafficAutomationDependencyStates,CellTrafficAutomationDriftStates,CellTrafficAutomationLifecycleActions, and derivedmaterialization.*lifecycle summaries;Cephalon.Enginenow seeds and aggregates requested versus owned versus conflict posture across provider and edge dimensions whileCephalon.Edge,Cephalon.Edge.KubernetesGateway, andCephalon.Edge.Traefiknow publish the same ownership/dependency/drift/lifecycle-action vocabulary on the existing/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, and provider-specific technology surfaces instead of inventing provider-local lifecycle taxonomies -
ENG-144now layers the first live Traefik observation baseline on top of that same projected-intent pack:Cephalon.Edge.Traefiknow addsTraefikTrafficObservationModes,TraefikTrafficObservationOptions, and opt-inobserve-onlypolling over TraefikIngressRoute,Middleware,TLSOption, backendService, and TLSSecretresources so the existing/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andtraefik-ingressroute-traffic-materializationssurfaces can publish route existence, ownership, dependency, drift, and freshness truth without inventing a second control-plane registry or pretending the pack already performs owned writes -
ENG-145now hardens that same Traefik pack with the first apply-and-reconcile ownership loop:TraefikTrafficObservationModesnow addsapply-and-reconcile, configured intent now stays truthfullypending,Cephalon.Edge.Traefiknow creates or replaces only ownedIngressRouteresources while treatingMiddleware,TLSOption, backendService, and TLSSecretresources as pre-provisioned dependencies, and the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, andtraefik-ingressroute-traffic-materializationssurfaces now publish ownership-awareingressRouteWriteActionmetadata together with reconciled live Traefik observation without inventing a second control-plane registry -
ENG-146now hardens provider-native lifecycle execution across both shipped control-plane packs:Cephalon.Edge.KubernetesGatewayandCephalon.Edge.Traefiknow classify external unmanaged resources separately from stale or incomplete Cephalon ownership metadata, lazily resolve active owners throughICellTrafficAutomationRuntimeCatalog, preserve previous-owner metadata during transfer-aware adoption, and keep mergedcreate/replace/transferlifecycle truth visible on the same shared automation and provider-specific surfaces instead of collapsing successful reconciliation back toobserve -
ENG-147now closes the first cleanup-sweep follow-through on that same runtime story:KubernetesGatewayTrafficObservationOptionsandTraefikTrafficObservationOptionsnow expose opt-inEnableCleanupSweep, both provider packs now run namespace-scoped delete or prune sweeps over stale transferred or orphaned provider-owned routes only duringapply-and-reconcile, and the same/engine/cell-traffic-automations*,snapshot.CellTrafficAutomations, and provider-specific technology surfaces now publish additiveproviderMaterialization.cleanup*and provider cleanup summaries without inventing a second lifecycle registry -
ENG-148now adds the second provider-native CDC implementation and first relational proof on that same shared CDC runtime story:Cephalon.Data.SqlServernow contributesSqlServerDataOptions,SqlServerCdcCaptureOptions,sqlserver-cdc-capture-flow,sqlserver-cdc-capture-pump, provider-native SQL change-table polling, durablestartLsn|seqval|operationcheckpoints, and the same/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces without inventing a second relational CDC registry -
ENG-149now hardens external CDC runtime reporting on that same shared runtime story:CdcCaptureRuntimeObservationnow carries stableReportId, declared execution runtimes can now setObservationStaleAfterSecondsplusRejectOutOfOrderReports,Cephalon.Datanow treats matching duplicate report ids as idempotent retries while rejecting configured out-of-order submissions, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now publishLastReportIdplus typedObservationFreshnesswithout inventing a second watchdog registry -
ENG-152now deepens external and edge-aware CDC execution topologies on that same shared runtime story:CdcCaptureRuntimeObservationplusCdcCaptureExecutionReportnow carryReporterIdplusEdgeNodeId, declared execution runtimes can now setReporterLeaseSeconds,RejectConflictingReporterIds, andEdgeNodeIds,Cephalon.Datanow enforces active reporter-lease ownership plus declared edge-node allow-lists while stamping reporter/edge metadata, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*, andsnapshotsurfaces now publishLastReporterId,ActiveReporterId,ReporterLeaseExpiresAtUtc,ObservedEdgeNodeIds, andLastEdgeNodeIdwithout inventing a second topology coordinator -
ENG-153now adds the third provider-native CDC implementation and the first logical-replication streaming proof on that same shared runtime story:Cephalon.Data.Postgresnow contributesPostgresDataOptions,PostgresLogicalReplicationCaptureOptions,postgresql-logical-replication-capture-flow,postgresql-logical-replication-capture-pump, provider-native pgoutput streaming, publication/table validation, optional slot creation, durableslotName|commitLsn|transactionEndLsncheckpoints, and the same/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces without inventing a PostgreSQL-specific CDC registry -
ENG-154now hardens that same PostgreSQL runner with publication and slot lifecycle truth:PostgresLogicalReplicationCaptureOptionsnow exposesRecreateSlotIfInvalidated, provider-native transport execution now validates slot type/plugin/database ownership plus invalidated or WAL-loss posture, inactive invalidated slots can now be recreated intentionally, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces now publish additiveslotLifecycleState,slotLifecycleAction,slotResumeMode,slotRestartLsn,slotConfirmedFlushLsn,slotWalStatus,slotInvalidationReason, and provider-specific failure-kind answers without inventing a PostgreSQL-only lifecycle registry -
ENG-155now adds richer external and edge-aware CDC failover plus takeover truth on that same shared runtime story:Cephalon.Abstractionsnow shipsCdcCaptureReporterCoordinationStatesplusCdcCaptureReporterCoordinationStatus,CdcCaptureRuntimeStateandCdcCaptureExecutionRuntimeSummarynow expose first-classReporterCoordination,Cephalon.Datanow records rejected conflicts plus accepted reporter takeovers after lease expiry on the shared runtime-state catalog, and the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces now publish active-owner, previous-owner, lease-expiry, takeover, and conflicting-reporter posture without inventing a second topology coordinator -
ENG-156now hardens that same shared external CDC runtime story with richer multi-reporter reconciliation:Cephalon.Abstractionsnow shipsCdcCaptureReporterParticipantRolesplusCdcCaptureReporterParticipantStatus,CdcCaptureReporterCoordinationStatusnow carriesReporterParticipants,HasStandbyReporters, andHasRejectedReporters, andCephalon.Datanow keeps accepted previous owners visible as standby participants plus rejected conflicts visible as rejected participants on the existing/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces without inventing a second coordination registry -
ENG-157now hardens that same shared external CDC runtime story with stable takeover and degraded-posture semantics:Cephalon.Abstractionsnow shipsCdcCaptureReporterCoordinationIssueReasonsplusCdcCaptureReporterTakeoverStates,CdcCaptureReporterCoordinationStatusnow carriesTakeoverState,DegradedReason,RequiresTakeover, andHasCompletedTakeover, andCephalon.Datanow derivesawaiting-takeover,rejected-reporter-conflict, andmultiple-active-reportersreasons on both per-capture runtime-state and execution-runtime summary surfaces without inventing a second operator taxonomy -
ENG-158now adds the fourth provider-native CDC implementation and the first MySQL binlog proof on that same shared runtime story:Cephalon.Data.MySqlnow contributesMySqlDataOptions,MySqlBinlogCaptureOptions,mysql-binlog-capture-flow,mysql-binlog-capture-pump, provider-native row-event reads, durablebinlogFile|positioncheckpoints, bounded initial-position resolution, and the same/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces without inventing a MySQL-specific CDC registry -
ENG-159now hardens that same MySQL provider-native runner with lifecycle and resume truth:MySqlBinlogCaptureOptionsnow supportsExpectedSourceServerUuid, the Cephalon-managed checkpoint table now keeps additiveSourceServerUuid,SourceServerId,GtidExecutedSet,BinlogFormat, andBinlogRowImagemetadata, and the shared runtime-state plus execution-runtime surfaces now publishbinlogLifecycleState,binlogLifecycleAction,sourceServerIdentityState,sourceServerIdentityAction, checkpoint source-server metadata, and GTID observe-only answers while distinguishing lifecycle failures such asbinary-logging-disabled,source-server-mismatch, andcheckpoint-binlog-unavailablewithout inventing a MySQL-only lifecycle registry -
ENG-160now broadens that same shared external CDC runtime story with reporter rejoin and stale-conflict cleanup:CdcCaptureReporterCoordinationStatusnow exposes additive participant-count helpers,Cephalon.Datanow clears stale rejected-conflict evidence after later accepted reports, and completed takeovers now stop surfacing previous owners as standby participants once the replacement reporter reaffirms lease ownership while preserving historicalpreviousReporterId, lease-expiry, and takeover timestamps on the same/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports, andsnapshotsurfaces without inventing a second coordinator -
ENG-161now adds the fifth provider-native CDC implementation and the first Oracle redo-log proof on that same shared runtime story:Cephalon.Data.Oraclenow contributesOracleDataOptions,OracleLogMinerCaptureOptions,oracle-logminer-capture-flow,oracle-logminer-capture-pump, provider-native committed-only LogMiner execution, bounded SCN-window plus redo-log selection, durablecommitScn|changeScn|rsId|ssncheckpoints, and the same/engine/cdc-captures*,/engine/cdc-captures/runtime*,/engine/cdc-capture-runtimes*,/engine/execution-graphs,/engine/hosted-executions, andsnapshotsurfaces without inventing an Oracle-specific CDC registry -
ENG-162now hardens that same Oracle provider-native runner with lifecycle and resume truth:OracleLogMinerCaptureOptionsnow supportsExpectedDatabaseId,ExpectedDatabaseUniqueName, andResumeFromEarliestAvailableScnIfCheckpointUnavailable, the Cephalon-managed checkpoint table now keeps additiveDatabaseId,DatabaseUniqueName,ResetLogsChangeNumber,ArchiveLogMode, andSupplementalLogDataMinmetadata, and the shared runtime-state plus execution-runtime surfaces now publishdatabaseIdentity*,archiveLogLifecycle*, and checkpoint-provenance answers while distinguishing lifecycle failures such asarchive-log-disabled,database-identity-mismatch,checkpoint-database-mismatch,checkpoint-scn-unavailable, andcheckpoint-scn-ahead-of-currentwithout inventing an Oracle-only lifecycle registry -
ENG-163now hardens that same shared external and edge-aware CDC runtime story with operator-story drill-down routes and catalog filters:ICdcCaptureRuntimeStateCatalogplusICdcCaptureExecutionRuntimeCatalognow expose reporter-id, edge-node-id, coordination-state, and degraded-reason filters, and ASP.NET Core now publishes those same queries through/engine/cdc-captures/runtime/reporters/{reporterId},/engine/cdc-captures/runtime/edge-nodes/{edgeNodeId},/engine/cdc-captures/runtime/reporter-coordination/{coordinationState},/engine/cdc-captures/runtime/reporter-coordination/issues/{degradedReason},/engine/cdc-capture-runtimes/reporters/{reporterId},/engine/cdc-capture-runtimes/edge-nodes/{edgeNodeId},/engine/cdc-capture-runtimes/reporter-coordination/{coordinationState}, and/engine/cdc-capture-runtimes/reporter-coordination/issues/{degradedReason}without inventing a second coordination registry -
ENG-164now adds the first external managed-connector capture implementation on that same shared runtime story:Cephalon.Data.Debeziumnow contributesDebeziumDataOptions,DebeziumConnectorOptions, andDebeziumCaptureOptions, binds Debezium-managed captures to external execution runtimes withexecutionOwnership = external-managedplusexecutionTopology = managed-connector, and makesPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/reportsavailable whenever Debezium connectors are configured so operator flows can project real Debezium/Kafka Connect style runtime truth through the same/engine/cdc-*,/engine/runtime-story, andsnapshotsurfaces without inventing a Debezium-only registry -
ENG-165now hardens that same Debezium managed-connector runtime story with observe-only lifecycle and reconciliation truth:DebeziumConnectorOptionsnow supportsManagementModeplusExpectedTaskCount,Cephalon.Data.Debeziumnow normalizes raw connector and task report metadata into stabledebezium*lifecycle or reconciliation answers, and the shared execution-runtime catalog now promotes runtime-scoped Debezium metadata back onto/engine/cdc-capture-runtimes*andsnapshotwithout inventing a Debezium-only lifecycle registry -
ENG-166now adds richer CDC operator-story rollups on that same shared external and edge-aware runtime story:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeReporterCoordinationRollupplusCdcCaptureReporterCoordinationBreakdownEntry,CdcCaptureExecutionRuntimeSummarynow carries additiveReporterCoordinationRollup, andCephalon.Datanow derives runtime-level coordination-state breakdowns, degraded-reason breakdowns, active/standby/rejected reporter ids, and degraded capture ids back onto/engine/cdc-capture-runtimes*andsnapshot.CdcCaptureExecutionRuntimeswithout inventing a second coordination registry or Debezium-only rollup surface -
ENG-167now hardens that same shared external and edge-aware runtime story with declared-versus-reported coverage truth:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeReportingCoverageStatesplusCdcCaptureExecutionRuntimeReportingCoverageStatus,CdcCaptureExecutionRuntimeSummarynow carries additiveReportingCoverageplusHasUnreportedDeclaredCaptures/HasFullCaptureCoverage, andCephalon.Datanow derivesReportedCdcCaptureIdsplus runtime-levelnot-bound,unreported,partially-reported, andfully-reportedposture only from captures that have submitted real observations back onto/engine/cdc-capture-runtimes*andsnapshot.CdcCaptureExecutionRuntimeswithout inventing a second coverage registry -
ENG-168now closes the next shared follow-through on that same external and edge-aware runtime story with aggregate remediation summaries plus runtime-first drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeRemediationStates,CdcCaptureExecutionRuntimeRemediationCategories, andCdcCaptureExecutionRuntimeRemediationStatus,CdcCaptureExecutionRuntimeSummarynow carries additiveRemediationplusRequiresRemediation/HasBlockingRemediation, andCephalon.Datanow derives runtime-levelready,attention, andblockedposture plus active remediation categories from resolved capture ownership and the existing shared runtime-state story back onto/engine/cdc-capture-runtimes*andsnapshot.CdcCaptureExecutionRuntimeswithout inventing a second remediation registry -
ENG-169now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector governance posture plus runtime-first governance drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorGovernanceStates,CdcCaptureExecutionRuntimeManagedConnectorGovernanceCategories,CdcCaptureExecutionRuntimeManagedConnectorGovernanceActionIds, andCdcCaptureExecutionRuntimeManagedConnectorGovernanceStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorGovernance,Cephalon.Datanow derives runtime-levelobserve-only,future-control-plane, andout-of-policyposture plus governance categories from merged managed-connector metadata, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/governance/{governanceState}plus/engine/cdc-capture-runtimes/governance/categories/{governanceCategory}without inventing a Debezium-only governance registry -
ENG-170now closes the next shared follow-through on that same external and edge-aware runtime story with desired-versus-observed managed-connector drift posture plus runtime-first drift drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDriftStates,CdcCaptureExecutionRuntimeManagedConnectorDriftCategories,CdcCaptureExecutionRuntimeManagedConnectorDriftActionIds, andCdcCaptureExecutionRuntimeManagedConnectorDriftStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDrift,Cephalon.Datanow derives runtime-levelunknown,in-sync, anddriftedposture plus drift categories from declared-versus-reported task topology and managed-connector identity metadata, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/drift/{driftState}plus/engine/cdc-capture-runtimes/drift/categories/{driftCategory}without inventing a Debezium-only drift registry -
ENG-171now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector action-planning posture plus runtime-first action drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorActionPlanStates,CdcCaptureExecutionRuntimeManagedConnectorActionPlanCategories,CdcCaptureExecutionRuntimeManagedConnectorActionPlanActionIds, andCdcCaptureExecutionRuntimeManagedConnectorActionPlanStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorActionPlan,Cephalon.Datanow derives runtime-levelobserve,waiting,action-required, andblockedposture plus action ids from merged remediation, governance, and drift truth, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/action-plans/{actionPlanState}plus/engine/cdc-capture-runtimes/actions/{actionId}without inventing a Debezium-only action-planning registry -
ENG-172now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector write-path readiness posture plus runtime-first readiness drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessStates,CdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessCategories, andCdcCaptureExecutionRuntimeManagedConnectorWritePathReadinessStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorWritePathReadiness,Cephalon.Datanow derives runtime-levelnot-applicable,deferred,not-ready,ready, andblockedposture plus readiness categories from merged coverage, remediation, governance, drift, and action-planning truth, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/write-path-readiness/{readinessState}plus/engine/cdc-capture-runtimes/write-path-readiness/categories/{readinessCategory}without inventing a Debezium-only readiness registry -
ENG-173now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector preflight posture plus runtime-first preflight drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorPreflightStates,CdcCaptureExecutionRuntimeManagedConnectorPreflightCategories,CdcCaptureExecutionRuntimeManagedConnectorPreflightOperationIds, andCdcCaptureExecutionRuntimeManagedConnectorPreflightStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorPreflight,Cephalon.Datanow derives runtime-levelnot-applicable,deferred,not-ready,ready, andblockedposture plus preflight categories and operation ids from merged coverage, remediation, governance, drift, action-planning, and write-path-readiness truth, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/preflight/{preflightState}plus/engine/cdc-capture-runtimes/preflight/categories/{preflightCategory}and/engine/cdc-capture-runtimes/preflight/operations/{operationId}without inventing a Debezium-only preflight registry -
ENG-174now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector dry-run posture plus runtime-first dry-run drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDryRunStates,CdcCaptureExecutionRuntimeManagedConnectorDryRunCategories,CdcCaptureExecutionRuntimeManagedConnectorDryRunOperationIds, andCdcCaptureExecutionRuntimeManagedConnectorDryRunStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDryRun,Cephalon.Datanow derives runtime-levelnot-applicable,deferred,blocked,no-op, andwould-changeposture plus dry-run categories and operation ids from merged coverage, remediation, governance, drift, action-planning, write-path-readiness, and preflight truth, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/dry-runs/{dryRunState}plus/engine/cdc-capture-runtimes/dry-runs/categories/{dryRunCategory}and/engine/cdc-capture-runtimes/dry-runs/operations/{operationId}without inventing a Debezium-only dry-run registry -
ENG-175now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector execution-intent posture plus runtime-first execution-intent drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionIntentStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionIntentSources, andCdcCaptureExecutionRuntimeManagedConnectorExecutionIntentStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionIntent,Cephalon.Datanow derives runtime-levelnot-applicable,deferred,blocked,operator-action,requires-approval, andready-to-executeposture plus execution-intent categories, operation ids, and confidence-source truth from merged dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/execution-intents/{executionIntentState}plus/engine/cdc-capture-runtimes/execution-intents/categories/{executionIntentCategory}and/engine/cdc-capture-runtimes/execution-intents/operations/{operationId}without inventing a Debezium-only execution planner -
ENG-176now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector execution-approval and safety-gating posture plus runtime-first execution-approval drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalSources, andCdcCaptureExecutionRuntimeManagedConnectorExecutionApprovalStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionApproval,Cephalon.Datanow derives runtime-levelnot-applicable,auto-blocked,policy-blocked,approval-required,approval-ready, andauto-eligibleposture plus execution-approval categories, operation ids, safety-gating source truth, and explicit-approval posture from merged dry-run, execution-intent, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/execution-approvals/{executionApprovalState}plus/engine/cdc-capture-runtimes/execution-approvals/categories/{executionApprovalCategory}and/engine/cdc-capture-runtimes/execution-approvals/operations/{operationId}without inventing a Debezium-only approval registry -
ENG-177now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector write-path command-envelope posture plus runtime-first command-envelope drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeStates,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandEnvelopeStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandEnvelope,Cephalon.Datanow derives runtime-levelnot-applicable,blocked,operator-only,approval-gated, andengine-readyposture plus command-envelope categories, operation ids, source truth, target identity, deterministic command fingerprints, and safety flags from merged execution-approval, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-envelopes/{commandState}plus/engine/cdc-capture-runtimes/command-envelopes/categories/{commandCategory}and/engine/cdc-capture-runtimes/command-envelopes/operations/{operationId}without inventing a Debezium-only execution registry -
ENG-178now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector command-issuance posture plus runtime-first command-issuance drill-downs:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceStates,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandIssuanceStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandIssuance,Cephalon.Datanow derives runtime-levelnot-applicable,blocked,operator-only,accepted,rejected, andissuedposture plus command-issuance categories, operation ids, issuance source truth, deterministic issuance fingerprints, and safety flags from merged command-envelope, execution-approval, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-issuances/{issuanceState}plus/engine/cdc-capture-runtimes/command-issuances/categories/{issuanceCategory}and/engine/cdc-capture-runtimes/command-issuances/operations/{operationId}without inventing a Debezium-only issuance registry -
ENG-179now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector provider execution-adapter posture plus shared command-execution request and result semantics:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterStates,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterCategories,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterOperationIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterSources,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterIds,CdcCaptureExecutionRuntimeManagedConnectorExecutionAdapterStatus,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionRequest,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionResult,ICdcCaptureExecutionRuntimeManagedConnectorExecutionAdapter, andICdcCaptureExecutionRuntimeManagedConnectorCommandExecutor,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorExecutionAdapter,Cephalon.Datanow derives runtime-levelnot-applicable,blocked,operator-only,unavailable, andreadyposture plus execution-adapter categories, operation ids, adapter identity, deterministic adapter fingerprints, and provider-ready safety flags from merged command-issuance, command-envelope, execution-approval, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers,Cephalon.Data.Debeziumnow proves the first provider adapter by translating shared pause/resume/restart/delete intent into Debezium or Kafka Connect REST command shape, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/execution-adapters/{executionAdapterState}plus/engine/cdc-capture-runtimes/execution-adapters/categories/{executionAdapterCategory}and/engine/cdc-capture-runtimes/execution-adapters/operations/{operationId}together with additivePOST /engine/cdc-capture-runtimes/{executionRuntimeId}/commands/{operationId}on the existing shared route family without inventing a Debezium-only control-plane registry -
ENG-180now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector execution outcome/history posture on the existing shared command lane:CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionStatesnow also ships stableunrecorded,CdcCaptureExecutionRuntimeManagedConnectorCommandExecutionResultnow carries additiveAttemptId,RecordedAtUtc,IsUnrecorded, andHasRecordedOutcome,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandExecution,Cephalon.Datanow records latest command-execution posture plus bounded recent history from the sharedPOST /engine/cdc-capture-runtimes/{executionRuntimeId}/commands/{operationId}request/result lane,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorCommandExecutionState(...),GetByManagedConnectorCommandExecutionOperationId(...), andGetManagedConnectorCommandExecutionHistory(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-executions/{executionState}plus/engine/cdc-capture-runtimes/command-executions/operations/{operationId}and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-executionswithout inventing a Debezium-only command journal or second coordinator -
ENG-181now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector retry/idempotency posture on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandRetryStates,CdcCaptureExecutionRuntimeManagedConnectorCommandRetryCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandRetryOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandRetrySources, andCdcCaptureExecutionRuntimeManagedConnectorCommandRetryStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandRetry,Cephalon.Datanow derives runtime-levelnot-applicable,not-needed,duplicate,cooldown,retry-blocked,operator-only, andretry-eligibleposture plus retry categories, operation ids, fingerprint matching, cooldown windows, and latest-attempt context from merged command-execution history, command-issuance, execution-adapter, execution-approval, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorCommandRetryState(...),GetByManagedConnectorCommandRetryCategory(...), andGetByManagedConnectorCommandRetryOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-retries/{retryState}plus/engine/cdc-capture-runtimes/command-retries/categories/{retryCategory}and/engine/cdc-capture-runtimes/command-retries/operations/{operationId}without inventing a Debezium-only retry registry -
ENG-182now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector retry-execution policy posture on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyStates,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyCategories,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyOperationIds,CdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicySources, andCdcCaptureExecutionRuntimeManagedConnectorRetryExecutionPolicyStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorRetryExecutionPolicy,Cephalon.Datanow derives runtime-levelnot-applicable,not-needed,cooldown,manual-approval,policy-blocked,operator-only, andbackground-retry-disabledposture plus policy categories, operation ids, retry fingerprints, cooldown windows, and latest-attempt context from merged command-retry, command-execution history, command-issuance, execution-adapter, execution-approval, command-envelope, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorRetryExecutionPolicyState(...),GetByManagedConnectorRetryExecutionPolicyCategory(...), andGetByManagedConnectorRetryExecutionPolicyOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/retry-execution-policies/{policyState}plus/engine/cdc-capture-runtimes/retry-execution-policies/categories/{policyCategory}and/engine/cdc-capture-runtimes/retry-execution-policies/operations/{operationId}without inventing a Debezium-only retry-policy registry -
ENG-183now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector bounded command-journal posture on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandJournalStates,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalOperationIds,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalSources, andCdcCaptureExecutionRuntimeManagedConnectorCommandJournalStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandJournal,Cephalon.Datanow derives runtime-levelnot-applicable,empty,bounded,truncated,cooldown-active,duplicate-evidence-present, andinsufficient-for-automationposture plus journal categories, operation ids, source truth, retained-versus-recorded history counts, cooldown windows, fingerprint matching, and latest-versus-oldest retained attempt context from merged command-execution history, command-retry, retry-execution policy, command-issuance, execution-adapter, execution-approval, command-envelope, execution-intent, dry-run, preflight, write-path-readiness, action-planning, drift, governance, remediation, and coverage answers,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorCommandJournalState(...)andGetByManagedConnectorCommandJournalCategory(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-journals/{journalState}plus/engine/cdc-capture-runtimes/command-journals/categories/{journalCategory}and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-journalwithout inventing a Debezium-only durable journal or second coordinator -
ENG-184now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector automatic background retry execution on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionOperationIds,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionSources,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryExecutionStatus, andCdcCaptureExecutionRuntimeManagedConnectorCommandExecutionInvocationSources,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorAutomaticRetryExecution,Cephalon.Datanow derives runtime-levelnot-applicable,disabled,blocked,eligible, andcompletedposture plus automatic-retry categories, operation ids, matching safety-context reuse flags, cooldown windows, retry and execution fingerprints, latest automatic-attempt metadata, and invocation-source truth from merged retry-execution-policy, command-journal, command-retry, and command-execution history,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorAutomaticRetryExecutionState(...),GetByManagedConnectorAutomaticRetryExecutionCategory(...), andGetByManagedConnectorAutomaticRetryExecutionOperationId(...), the shared data pack now runs the bounded opt-in automatic retry lane throughEnableManagedConnectorAutomaticRetryExecution,ManagedConnectorAutomaticRetryPollingIntervalSeconds, andManagedConnectorAutomaticRetryHostedService, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/automatic-retries/{automaticRetryState}plus/engine/cdc-capture-runtimes/automatic-retries/categories/{automaticRetryCategory}and/engine/cdc-capture-runtimes/automatic-retries/operations/{operationId}without inventing a Debezium-only retry loop, durable distributed scheduler, or second coordinator -
ENG-185now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector automatic background retry coordination on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationStates,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationCategories,CdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationSources, andCdcCaptureExecutionRuntimeManagedConnectorAutomaticRetryCoordinationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorAutomaticRetryCoordination,Cephalon.Datanow derives runtime-levelnot-applicable,single-node,uncoordinated,lease-held,lease-missing,conflicted, andoperator-onlyposture plus coordination categories, active-reporter and coordination-owner identity, reporter-lease timing, source truth, andCanExecuteOnCurrentNodefrom merged execution ownership, execution topology, reporter coordination, automatic-retry execution, retry-execution policy, and command-journal truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorAutomaticRetryCoordinationState(...),GetByManagedConnectorAutomaticRetryCoordinationCategory(...), andGetByManagedConnectorAutomaticRetryCoordinationOwnerId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough the host-levelManagedConnectorAutomaticRetryCoordinationOwnerIdpolicy, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/automatic-retry-coordinations/{coordinationState}plus/engine/cdc-capture-runtimes/automatic-retry-coordinations/categories/{coordinationCategory}and/engine/cdc-capture-runtimes/automatic-retry-coordinations/owners/{ownerId}without inventing a durable distributed scheduler, second coordination registry, or Debezium-only multi-node retry loop -
ENG-186now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector durable retry-journal posture on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityStates,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityCategories,CdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilitySources, andCdcCaptureExecutionRuntimeManagedConnectorCommandJournalDurabilityStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCommandJournalDurability,Cephalon.Datanow derives runtime-levelnot-applicable,in-memory-only,persisted,recovered,recovery-failed, andpersistence-failedposture plus durability categories, persistence path, persisted-versus-recovered timestamps, retained-versus-recorded history counts, and persisted or recovered history flags from merged command-journal, automatic-retry execution, automatic-retry coordination, and file-backed history-store truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorCommandJournalDurabilityState(...)andGetByManagedConnectorCommandJournalDurabilityCategory(...), the shared data pack now exposesManagedConnectorCommandJournalPersistencePathsoManagedConnectorCommandExecutionHistoryStorecan persist and recover bounded retry evidence across host restart, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/command-journal-durability/{durabilityState}plus/engine/cdc-capture-runtimes/command-journal-durability/categories/{durabilityCategory}and/engine/cdc-capture-runtimes/{executionRuntimeId}/command-journal-durabilitywithout inventing a second journal registry, durable distributed scheduler, or Debezium-only persistence subsystem -
ENG-187now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector distributed retry lease and cross-node idempotency hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseStates,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseCategories,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseSources, andCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryLeaseStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDistributedRetryLease,Cephalon.Datanow derives runtime-levelnot-applicable,single-node,lease-held,lease-missing,lease-conflicted,idempotent-safe,idempotency-risk, andoperator-onlyposture plus coordination-owner and active-reporter identity, retry-fingerprint and bounded-history evidence, durable-store and duplicate-attempt truth, andCanExecuteAutomaticRetryOnCurrentNodefrom merged automatic-retry coordination, automatic-retry execution, retry-execution policy, command-journal, command-journal durability, and retained command history answers,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorDistributedRetryLeaseState(...),GetByManagedConnectorDistributedRetryLeaseCategory(...), andGetByManagedConnectorDistributedRetryLeaseOwnerId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that richer cross-node answer instead of raw coordination alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/distributed-retry-leases/{leaseState}plus/engine/cdc-capture-runtimes/distributed-retry-leases/categories/{leaseCategory},/engine/cdc-capture-runtimes/distributed-retry-leases/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/distributed-retry-leasewithout inventing a second coordination registry, second retry registry, or Debezium-only multi-node retry subsystem -
ENG-188now closes the next shared follow-through on that same external and edge-aware runtime story with managed-connector distributed retry orchestration on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationStates,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationCategories,CdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationSources, andCdcCaptureExecutionRuntimeManagedConnectorDistributedRetryOrchestrationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDistributedRetryOrchestration,Cephalon.Datanow derives runtime-levelnot-applicable,disabled,operator-only,cooldown,blocked,scheduled, andcompletedposture plus orchestration categories, scheduler identity/kind, polling interval, owner/reporter identity, retry fingerprint, latest-attempt metadata, durable-history evidence, andCanScheduleAutomaticRetryOnCurrentNodefrom merged automatic-retry execution, automatic-retry coordination, retry-execution policy, command-journal durability, and distributed retry lease truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorDistributedRetryOrchestrationState(...),GetByManagedConnectorDistributedRetryOrchestrationCategory(...), andGetByManagedConnectorDistributedRetryOrchestrationOwnerId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that richer shared orchestration answer instead of raw lease checks, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/distributed-retry-orchestrations/{orchestrationState}plus/engine/cdc-capture-runtimes/distributed-retry-orchestrations/categories/{orchestrationCategory},/engine/cdc-capture-runtimes/distributed-retry-orchestrations/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/distributed-retry-orchestrationwithout inventing a second coordinator, second registry, or Debezium-only scheduler subsystem -
ENG-189now closes the next shared follow-through on that same external and edge-aware runtime story with richer managed-connector cross-node idempotency hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorCrossNodeIdempotencyHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorCrossNodeIdempotencyHardening,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,idempotent-safe,stale-owner-risk,duplicate-lineage-risk, andreplay-window-riskposture plus hardening categories, coordination-owner and active-reporter identity, retry fingerprint, retained-lineage and automatic-attempt evidence, durable-history truth, andCanExecuteAutomaticRetryOnCurrentNodefrom merged automatic-retry execution, automatic-retry coordination, retry-execution policy, command-journal, command-journal durability, distributed retry lease, and retained command history answers,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorCrossNodeIdempotencyHardeningState(...),GetByManagedConnectorCrossNodeIdempotencyHardeningCategory(...),GetByManagedConnectorCrossNodeIdempotencyHardeningOwnerId(...), andGetByManagedConnectorCrossNodeIdempotencyHardeningRetryFingerprint(...), the shared data pack now feeds that richer answer back into distributed retry orchestration so bounded scheduling no longer trusts raw lease truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/{hardeningState}plus/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/owners/{ownerId},/engine/cdc-capture-runtimes/cross-node-idempotency-hardenings/fingerprints/{retryFingerprint}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/cross-node-idempotency-hardeningwithout inventing a second coordinator, second registry, or Debezium-only idempotency subsystem -
ENG-190now closes the next shared follow-through on that same external and edge-aware runtime story with broader managed-connector multi-node lease execution on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionSources, andCdcCaptureExecutionRuntimeManagedConnectorMultiNodeLeaseExecutionStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorMultiNodeLeaseExecution,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,single-node,lease-executable,lease-blocked,lease-conflicted, andstale-lease-riskposture plus lease-execution categories, coordination-owner and active-reporter identity, scheduler identity/kind, polling interval, retry fingerprint, latest automatic-attempt metadata, andCanExecuteAutomaticRetryOnCurrentNodefrom merged automatic-retry coordination, distributed retry lease, cross-node idempotency hardening, and distributed retry orchestration truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorMultiNodeLeaseExecutionState(...),GetByManagedConnectorMultiNodeLeaseExecutionCategory(...), andGetByManagedConnectorMultiNodeLeaseExecutionOwnerId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that broader multi-node lease-execution answer instead of distributed retry orchestration alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/multi-node-lease-executions/{leaseExecutionState}plus/engine/cdc-capture-runtimes/multi-node-lease-executions/categories/{leaseExecutionCategory},/engine/cdc-capture-runtimes/multi-node-lease-executions/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/multi-node-lease-executionwithout inventing a second coordinator, second registry, or Debezium-only lease-execution subsystem -
ENG-191now closes the next shared follow-through on that same external and edge-aware runtime story with durable shared scheduler orchestration on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationStates,CdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationCategories,CdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationSources, andCdcCaptureExecutionRuntimeManagedConnectorDurableSharedSchedulerOrchestrationStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorDurableSharedSchedulerOrchestration,Cephalon.Datanow derives runtime-levelnot-applicable,disabled,operator-only,unscheduled,scheduled,lease-blocked,recovery-needed, andscheduler-conflictedposture plus scheduler categories, execution-runtime and capture identity, ownership/topology, coordination-owner and active-reporter identity, scheduler identity/kind, polling interval, retry fingerprint, latest automatic-attempt metadata, durable-history truth, andCanScheduleAutomaticRetryOnCurrentNodefrom merged automatic-retry coordination, command-journal durability, distributed retry orchestration, and broader multi-node lease-execution truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorDurableSharedSchedulerOrchestrationState(...),GetByManagedConnectorDurableSharedSchedulerOrchestrationCategory(...), andGetByManagedConnectorDurableSharedSchedulerOrchestrationOwnerId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that broader scheduler answer instead of broader multi-node lease-execution truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/{schedulerState}plus/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/categories/{schedulerCategory},/engine/cdc-capture-runtimes/durable-shared-scheduler-orchestrations/owners/{ownerId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/durable-shared-scheduler-orchestrationwithout inventing a second coordinator, second registry, or Debezium-only scheduler subsystem -
ENG-192now closes the next shared follow-through on that same external and edge-aware runtime story with scheduler recovery and execution hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorSchedulerRecoveryExecutionHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorSchedulerRecoveryExecutionHardening,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,recovery-ready,recovery-blocked,replaying,execution-hardened, andexecution-riskposture plus categories, execution-runtime and capture identity, ownership/topology, coordination-owner and active-reporter identity, durable shared scheduler, broader multi-node lease-execution, distributed retry orchestration, command-journal durability, latest command-execution truth, scheduler identity/kind, polling interval, retry fingerprint, latest automatic-attempt metadata, durable-history truth, andCanExecuteAutomaticRetryOnCurrentNodefrom merged durable shared scheduler, broader multi-node lease-execution, distributed retry orchestration, command-journal durability, and latest execution history,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorSchedulerRecoveryExecutionHardeningState(...),GetByManagedConnectorSchedulerRecoveryExecutionHardeningCategory(...),GetByManagedConnectorSchedulerRecoveryExecutionHardeningOwnerId(...), andGetByManagedConnectorSchedulerRecoveryExecutionHardeningRetryFingerprint(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that broader scheduler recovery answer instead of durable shared scheduler truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/{hardeningState}plus/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/owners/{ownerId},/engine/cdc-capture-runtimes/scheduler-recovery-execution-hardenings/fingerprints/{retryFingerprint}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/scheduler-recovery-execution-hardeningwithout inventing a second coordinator, second registry, or Debezium-only recovery subsystem -
ENG-193now closes the next shared follow-through on that same external and edge-aware runtime story with broader provider-owned write-path execution on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedWritePathExecutionStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedWritePathExecution,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,provider-executable,provider-blocked,provider-owned-executing,provider-owned-completed, andprovider-owned-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, execution-adapter plus latest-command plus retry-policy plus automatic-retry plus lease plus scheduler plus recovery state, adapter/provider metadata, deterministic fingerprints, approval/destructive/change metadata, andCanExecuteProviderOwnedWritePathOnCurrentNodefrom merged provider execution-adapter, latest command-execution, retry-execution-policy, automatic background retry, distributed retry lease, durable shared scheduler, and scheduler recovery truth,ICdcCaptureExecutionRuntimeCatalognow exposesGetByManagedConnectorProviderOwnedWritePathExecutionState(...),GetByManagedConnectorProviderOwnedWritePathExecutionCategory(...), andGetByManagedConnectorProviderOwnedWritePathExecutionOperationId(...), the shared data pack now gates bothManagedConnectorAutomaticRetryHostedServiceand automatic invocations inManagedConnectorCommandExecutorthrough that broader provider-owned write-path answer instead of scheduler recovery truth alone, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-write-path-executions/{providerExecutionState}plus/engine/cdc-capture-runtimes/provider-owned-write-path-executions/categories/{providerExecutionCategory},/engine/cdc-capture-runtimes/provider-owned-write-path-executions/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-write-path-executionwithout inventing a second coordinator, second registry, or Debezium-only control-plane surface -
ENG-199now closes the next shared follow-through on that same external and edge-aware runtime story with provider-owned control-plane dependency-aware apply-and-reconcile hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardening,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,dependency-ready,dependency-blocked,dependency-degraded,apply-and-reconcile-hardened, anddependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader governance plus drift plus provider-owned control-plane apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, declared-versus-reported dependency identity and task-topology metadata, active reporter-lease evidence, andCanExecuteDependencyAwareApplyAndReconcileOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningState(...),GetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareApplyAndReconcileHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/{hardeningState}plus/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-dependency-aware-apply-and-reconcile-hardeningwithout inventing a second coordinator, second registry, or Debezium-only dependency-hardening surface -
ENG-200now closes the next shared follow-through on that same external and edge-aware runtime story with provider-owned control-plane dependency-aware provisioning and mutation hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardening,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,dependency-ready,provisioning-blocked,mutation-blocked,dependency-degraded,provisioning-hardened,mutation-hardened, anddependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader governance plus drift plus provider-owned control-plane dependency-aware apply-and-reconcile plus apply-and-reconcile execution plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, declared-versus-reported dependency identity and task-topology metadata, durable-history plus reporter-lease evidence, andCanExecuteDependencyAwareProvisioningAndMutationOnCurrentNodethroughGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningState(...),GetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningCategory(...), andGetByManagedConnectorProviderOwnedControlPlaneDependencyAwareProvisioningAndMutationHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/{hardeningState}plus/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-owned-control-plane-dependency-aware-provisioning-and-mutation-hardeningwithout inventing a second coordinator, second registry, or Debezium-only provisioning/mutation dependency-hardening surface -
ENG-201now closes the next shared follow-through on that same external and edge-aware runtime story with provider-specific control-plane materializer truth on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerStates,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneMaterializerStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderSpecificControlPlaneMaterializer,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,materializer-unavailable,materializer-ready,materializer-selected,materializer-executing, andmaterializer-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader provider-owned control-plane dependency-aware provisioning and mutation hardening plus apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, durable-history plus reporter-lease signals, provider-specific provider/materializer/transport/provider-surface/connector/worker identity, andCanUseProviderSpecificControlPlaneMaterializerOnCurrentNodethroughGetByManagedConnectorProviderSpecificControlPlaneMaterializerState(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerCategory(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerProviderId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerProviderSurfaceId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerId(...),GetByManagedConnectorProviderSpecificControlPlaneMaterializerConnectorId(...), andGetByManagedConnectorProviderSpecificControlPlaneMaterializerOperationId(...),Cephalon.Data.Debeziumnow normalizes provider-specific materializer metadata through the existing contributor plus report-sink lane, andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/{materializerState}plus/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/categories/{materializerCategory},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/providers/{providerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/provider-surfaces/{providerSurfaceId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/materializers/{materializerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/connectors/{connectorId},/engine/cdc-capture-runtimes/provider-specific-control-plane-materializers/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-specific-control-plane-materializerwithout inventing a second coordinator, second registry, or Debezium-only materializer surface -
ENG-202now closes the next shared follow-through on that same external and edge-aware runtime story with provider-specific control-plane dependency-aware teardown and mutation-execution hardening on the existing shared command lane:Cephalon.Abstractionsnow shipsCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningStates,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningCategories,CdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningSources, andCdcCaptureExecutionRuntimeManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningStatus,CdcCaptureExecutionRuntimeDescriptornow carries additiveManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardening,Cephalon.Datanow derives runtime-levelnot-applicable,operator-only,dependency-ready,teardown-blocked,mutation-execution-blocked,dependency-degraded,teardown-hardened,mutation-execution-hardened, anddependency-riskposture plus categories, execution-runtime and capture identity, ownership/topology, management mode, operation/source, broader provider-specific control-plane materializer plus provider-owned control-plane dependency-aware provisioning and mutation hardening plus apply-and-reconcile plus provisioning plus mutation/reconcile plus ownership plus execution-orchestration plus write-path truth, latest command plus retry-policy plus command-journal evidence, durable-history plus reporter-lease signals, provider/materializer/transport/provider-surface/connector/worker identity, andCanExecuteDependencyAwareTeardownAndMutationExecutionOnCurrentNodethroughGetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningState(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningCategory(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningProviderId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningProviderSurfaceId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningMaterializerId(...),GetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningConnectorId(...), andGetByManagedConnectorProviderSpecificControlPlaneDependencyAwareTeardownAndMutationExecutionHardeningOperationId(...), andCephalon.AspNetCorenow publishes/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/{hardeningState}plus/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/categories/{hardeningCategory},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/providers/{providerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/provider-surfaces/{providerSurfaceId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/materializers/{materializerId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/connectors/{connectorId},/engine/cdc-capture-runtimes/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardenings/operations/{operationId}, and/engine/cdc-capture-runtimes/{executionRuntimeId}/provider-specific-control-plane-dependency-aware-teardown-and-mutation-execution-hardeningwithout inventing a second coordinator, second registry, or Debezium-only teardown/mutation-execution surface -
ENG-203now closes the next shared provider-specific identity drill-down follow-through on that same external and edge-aware runtime story: the shared execution-runtime catalog now exposes provider-surface and connector selectors for both provider-specific materializer and provider-specific dependency-aware teardown/mutation-execution hardening posture, and ASP.NET Core publishes matching/provider-surfaces/{providerSurfaceId}plus/connectors/{connectorId}drill-downs on those same two shared route families so operators can navigate directly from Debezium Kafka Connect REST surface identity to the affected runtime without inventing a second registry or Debezium-only operator API -
ENG-204now hardens provider-specific worker identity normalization on that same external and edge-aware runtime story:Cephalon.Data.Debeziumnow falls back from raw provider metadataworkerIdto the stable externalreporterIdwhen normalizing provider-specific control-plane observations, the shared execution-runtime catalog now resolves the best available provider-specific worker id from normalized metadata plus active reporter truth, and both provider-specific materializer and provider-specific dependency-aware teardown/mutation-execution hardening posture now keepWorkerIdentityVisibleanswers truthful without inventing a Debezium-only worker registry -
ENG-205now closes the next provider-specific worker drill-down follow-through on that same external and edge-aware runtime story: the shared execution-runtime catalog now exposes/workers/{workerId}selectors for both provider-specific materializer and provider-specific dependency-aware teardown/mutation-execution hardening posture, and ASP.NET Core publishes those matching worker routes on the existing shared provider-specific route families so operators can navigate directly from Debezium Kafka Connect REST worker identity to the affected runtime without inventing a second registry or Debezium-only operator API -
ENG-206now closes the next provider-specific transport drill-down follow-through on that same external and edge-aware runtime story: the shared execution-runtime catalog now exposes/transports/{transportKind}selectors for both provider-specific materializer and provider-specific dependency-aware teardown/mutation-execution hardening posture, and ASP.NET Core publishes those matching transport routes on the existing shared provider-specific route families so operators can navigate directly from Debezium Kafka Connect REST transport identity to the affected runtime without inventing a second registry or Debezium-only operator API -
ENG-207now closes the next provider-specific dependency-identity drill-down follow-through on that same external and edge-aware runtime story: the shared execution-runtime catalog now exposes/connect-clusters/{connectClusterId},/connector-classes/{connectorClass}, and/source-providers/{sourceProviderId}selectors for both provider-specific materializer and provider-specific dependency-aware teardown/mutation-execution hardening posture, and ASP.NET Core publishes those matching dependency-identity routes on the existing shared provider-specific route families so operators can navigate directly from Debezium Kafka Connect cluster/class/source identity to the affected runtime without inventing a second registry or Debezium-only operator API -
ENG-208now closes the next provider-specific current-node drill-down follow-through on that same external and edge-aware runtime story: the shared execution-runtime catalog now exposescurrent-nodesselectors for provider-specific materializer posture plus overall, teardown, and mutation-execution current-node selectors for provider-specific dependency-aware teardown/mutation-execution hardening posture, and ASP.NET Core publishes those matching routes on the existing shared provider-specific route families so operators can navigate directly from executable-versus-blocked provider-specific node posture to the affected runtime without inventing a second registry or Debezium-only operator APIENG-150now adds richer provider-native condition semantics on that same shared cell traffic runtime story:Cephalon.Abstractionsnow shipsCellTrafficAutomationMaterializationConditionDescriptorplus stable condition dimensions/categories/states/severities, provider and edge materialization results now carry typedConditions,CellTrafficAutomationRuntimeDescriptornow carries mergedMaterializationConditions,Cephalon.Enginenow derives additivematerialization.*,providerMaterialization.*, andedgeMaterialization.*summaries such asconditionCount,conditionCategories,conditionStates,conditionBreakdown, andhighestConditionSeverity, andCephalon.Edge,Cephalon.Edge.KubernetesGateway, plusCephalon.Edge.Traefiknow publish stable readiness, ownership, dependency, lifecycle, and observation conditions on the existing shared plus provider-specific surfaces instead of provider-local condition vocabularies
-
ENG-151now broadens dependency-aware teardown on that same shared cell traffic runtime story:providerMaterialization.cleanup*plus provider-specific technology surfaces now publishcleanupStrategyand primary/dependency cleanup breakdowns,Cephalon.Edge.KubernetesGatewaytruthfully keeps cleanupprimary-onlyfor ownedHTTPRoutesweeps, andCephalon.Edge.Traefiknow extends cleanup to safe ownedMiddlewareplusTLSOptiondependents that no longer map to active projections without inventing a second lifecycle registry Remaining follow-through: -
additional provider-specific control-plane materializers plus broader dependency-aware teardown beyond the shipped shared ownership/dependency/drift/lifecycle-action baseline, the shipped explicit external-conflict versus orphaned-transfer lifecycle semantics, the shipped typed provider-native condition taxonomy plus condition summaries, the shipped Kubernetes Gateway API configured-intent / observe-only / owned-HTTPRoute apply-and-reconcile plus
primary-onlycleanup breakdown baseline, and the shipped TraefikIngressRouteconfigured-intent / observe-only / owned-apply-and-reconcile plus safe ownedMiddleware/TLSOptioncleanup breakdown baseline -
additional provider-specific capture implementations plus later additional provider-specific control-plane materializers or broader provider-specific teardown and mutation-execution follow-through beyond the shipped command-issuance posture, shipped provider execution-adapter posture, shipped shared command-execution request/result baseline, shipped shared execution outcome/history baseline, shipped shared retry/idempotency posture, shipped shared retry-execution-policy posture, shipped shared bounded command-journal posture, shipped shared automatic background retry execution posture, shipped shared automatic background retry coordination posture, shipped shared durable command-journal posture, shipped shared distributed retry lease posture, shipped shared distributed retry orchestration posture plus orchestration drill-down filters, shipped richer shared cross-node idempotency hardening posture plus hardening drill-down filters, shipped broader shared multi-node lease-execution posture plus lease-execution drill-down filters, shipped durable shared scheduler-orchestration posture plus scheduler drill-down filters, shipped shared scheduler recovery/execution-hardening posture plus hardening drill-down filters, shipped broader shared provider-owned write-path execution posture plus write-path drill-down filters, shipped broader shared provider execution orchestration posture plus orchestration drill-down filters, shipped shared provider-owned control-plane ownership posture plus control-plane ownership drill-down filters, shipped shared provider-owned control-plane mutation/reconcile posture plus mutation/reconcile drill-down filters, shipped shared provider-owned control-plane provisioning posture plus provisioning drill-down filters, shipped shared provider-owned control-plane apply-and-reconcile execution posture plus apply-and-reconcile execution drill-down filters, shipped shared provider-owned control-plane dependency-aware apply-and-reconcile hardening posture plus hardening drill-down filters, shipped shared provider-owned control-plane dependency-aware provisioning and mutation hardening posture plus hardening drill-down filters, shipped shared provider-specific control-plane materializer posture plus state/category/provider/provider-surface/materializer/transport/connect-cluster/connector-class/source-provider/connector/worker/current-node/operation drill-down filters, and shipped shared provider-specific control-plane dependency-aware teardown and mutation-execution hardening posture plus state/category/provider/provider-surface/materializer/transport/connect-cluster/connector-class/source-provider/connector/worker/current-node/teardown-current-node/mutation-current-node/operation drill-down filters, or broader external or edge-aware CDC hardening beyond the shipped external report-id and freshness hardening, reporter-lease and edge-node provenance, multi-reporter reconciliation, stable takeover/degraded semantics, reporter rejoin plus stale-conflict cleanup, reporter/edge/coordination/degraded drill-down operator surfaces, declared-versus-reported runtime coverage hardening, runtime-level remediation summaries, managed-connector governance posture plus drill-down filters, managed-connector desired-versus-observed drift posture plus drill-down filters, managed-connector action-planning posture plus action drill-down filters, managed-connector write-path readiness posture plus readiness drill-down filters, managed-connector preflight posture plus preflight drill-down filters, managed-connector dry-run posture plus dry-run drill-down filters, managed-connector execution-intent posture plus execution-intent drill-down filters, managed-connector execution-approval posture plus execution-approval drill-down filters, managed-connector command-envelope posture plus command-envelope drill-down filters, managed-connector command-issuance posture plus command-issuance drill-down filters, managed-connector command-retry posture plus command-retry drill-down filters, managed-connector retry-execution-policy posture plus retry-execution-policy drill-down filters, managed-connector bounded command-journal posture plus journal drill-down filters, managed-connector automatic background retry posture plus automatic-retry drill-down filters, managed-connector automatic background retry coordination posture plus coordination drill-down filters, managed-connector durable command-journal posture plus durability drill-down filters, managed-connector distributed retry lease posture plus lease drill-down filters, MongoDB change streams, SQL Server CDC, PostgreSQL logical replication, MySQL binlog lifecycle/resume hardening, Oracle LogMiner lifecycle/resume hardening, the Debezium managed-connector baseline, the Debezium lifecycle and reconciliation hardening baseline, the richer execution-runtime operator-rollup baseline, and shared provider-native plus external execution/runtime-story baselines
-
additional provider-specific capture implementations plus provider-specific hardening beyond the shipped shared
ICdcCapture,ICdcCaptureAcknowledger,ICdcCaptureExecutionRuntimeCatalog, configuration-declared external-runtime baseline, typed outbox-linked descriptor/runtime-state/freshness/lag/publication baseline, the shipped MongoDB change-stream runner, the shipped SQL Server CDC runner, the shipped PostgreSQL logical-replication runner, the shipped PostgreSQL publication/slot lifecycle plus restart-resume hardening baseline, the shipped MySQL binlog runner, the shipped MySQL lifecycle/resume hardening baseline, the shipped Oracle LogMiner runner, the shipped Oracle lifecycle/resume hardening baseline, the shipped Debezium managed-connector baseline, the shipped Debezium lifecycle and reconciliation hardening baseline, the shipped report-id/out-of-order/freshness-expiry hardening baseline, the shipped reporter-lease and edge-aware topology hardening baseline, the shipped reporter failover/takeover coordination baseline, the shipped richer multi-reporter reconciliation/operator-story hardening baseline, the shipped stronger reporter takeover/degraded-posture hardening baseline, the shipped reporter rejoin plus stale-conflict cleanup baseline, the shipped reporter/edge/coordination/degraded drill-down baseline, the shipped declared-versus-reported runtime coverage baseline, the shipped runtime-level remediation baseline, the shipped managed-connector governance baseline, the shipped managed-connector drift baseline, the shipped managed-connector action-planning baseline, the shipped managed-connector execution outcome/history baseline, the shipped managed-connector retry/idempotency hardening baseline, the shipped managed-connector retry-execution-policy baseline, the shipped managed-connector bounded command-journal baseline, the shipped managed-connector automatic background retry baseline, and the shared execution/runtime-story surfaces
Exit criteria:
- modules can declare cell boundaries, governed cell routes, and cell health-isolation posture with explicit blast-radius isolation, project-level configuration can overlay deterministic automation policy through
Engine:Cells:TrafficAutomation, including additiveproviderIdplusedgeNodeIdstargeting, provider-managed or edge-managed routes can publish selected materializer ownership plus the latest startup or live observation posture throughproviderMaterializerId,providerMaterializationState,providerMaterializationObservedAtUtc,providerMaterializationError,edgeMaterializerId,edgeMaterializationState,edgeMaterializationObservedAtUtc,edgeMaterializationError, the derived overallmaterializationState,materializationObservedAtUtc, andmaterializationError, and the shared lifecycle vocabulary onproviderMaterialization.*,edgeMaterialization.*, andmaterialization.*metadata for ownership, dependency, drift, lifecycle action, additive cleanup-sweep posture, cleanup strategy, and primary/dependency cleanup breakdowns, provider-specific control-plane follow-through can now publish deterministic Kubernetes Gateway API projected intent, opt-in liveGateway/HTTPRouteobservation, ownedHTTPRouteapply-and-reconcile, and opt-in cleanup-sweep posture throughCephalon.Edge.KubernetesGatewayplus thekubernetes-gateway-traffic-materializationstechnology surface, plus deterministic TraefikIngressRouteprojected intent, opt-in live observation, ownedIngressRouteapply-and-reconcile, and opt-in cleanup-sweep posture throughCephalon.Edge.Traefikplus thetraefik-ingressroute-traffic-materializationstechnology surface, and operators can inspect the same answers through/engine/cells,/engine/cell-routes,/engine/cell-health-isolations,/engine/cell-traffic-automations,/engine/cell-traffic-automations/providers/{providerId},/engine/cell-traffic-automations/edge-nodes/{edgeNodeId},/engine/technology-surfaces/cell-based-architecture, and/engine/snapshot - modules can expose queryable data products through the runtime catalog
- modules can declare CDC captures linked to an outbox through the runtime catalog today, operators can inspect descriptor truth, per-capture runtime posture, capture-side authored/requested/effective execution ownership, shared/configured/provider-native/external-managed execution-topology ownership, out-of-process live reporting, stable report ids, configured stale-window freshness expiry, optional out-of-order rejection, reporter identities, reporter-lease enforcement, reporter failover/takeover coordination posture, stable takeover-state plus degraded-reason answers, declared edge-node allow-lists, reporter/edge runtime summaries, linked runtime summaries, additive execution-runtime coordination rollups, runtime-level declared-versus-reported coverage, runtime-level remediation posture, managed-connector governance posture, managed-connector desired-versus-observed drift posture, managed-connector action-planning posture, managed-connector write-path readiness posture, managed-connector preflight posture, managed-connector dry-run posture, managed-connector execution-intent posture, managed-connector execution-approval posture, managed-connector command-envelope posture, managed-connector command-issuance posture, managed-connector execution-adapter posture, managed-connector command-execution posture, managed-connector retry/idempotency posture, and runtime-first remediation, governance, drift, action-plan-state, action-id, readiness-state, readiness-category, preflight-state, preflight-category, preflight-operation, dry-run-state, dry-run-category, dry-run-operation, execution-intent-state, execution-intent-category, execution-intent-operation, execution-approval-state, execution-approval-category, execution-approval-operation, command-envelope-state, command-envelope-category, command-envelope-operation, command-issuance-state, command-issuance-category, command-issuance-operation, execution-adapter-state, execution-adapter-category, execution-adapter-operation, command-execution-state, command-execution-operation, command-retry-state, command-retry-category, or command-retry-operation drill-downs through
/engine/cdc-captures,/engine/cdc-captures/runtime,/engine/cdc-capture-runtimes,/engine/cdc-captures/execution-runtimes/{executionRuntimeId},/engine/cdc-captures/runtime/execution-runtimes/{executionRuntimeId},POST /engine/cdc-capture-runtimes/{executionRuntimeId}/reports,/engine/cdc-capture-runtimes/remediation/{remediationState},/engine/cdc-capture-runtimes/remediation/categories/{remediationCategory},/engine/cdc-capture-runtimes/governance/{governanceState},/engine/cdc-capture-runtimes/governance/categories/{governanceCategory},/engine/cdc-capture-runtimes/drift/{driftState},/engine/cdc-capture-runtimes/drift/categories/{driftCategory},/engine/cdc-capture-runtimes/action-plans/{actionPlanState},/engine/cdc-capture-runtimes/actions/{actionId},/engine/cdc-capture-runtimes/write-path-readiness/{readinessState},/engine/cdc-capture-runtimes/write-path-readiness/categories/{readinessCategory},/engine/cdc-capture-runtimes/preflight/{preflightState},/engine/cdc-capture-runtimes/preflight/categories/{preflightCategory},/engine/cdc-capture-runtimes/preflight/operations/{operationId},/engine/cdc-capture-runtimes/dry-runs/{dryRunState},/engine/cdc-capture-runtimes/dry-runs/categories/{dryRunCategory},/engine/cdc-capture-runtimes/dry-runs/operations/{operationId},/engine/cdc-capture-runtimes/execution-intents/{executionIntentState},/engine/cdc-capture-runtimes/execution-intents/categories/{executionIntentCategory},/engine/cdc-capture-runtimes/execution-intents/operations/{operationId},/engine/cdc-capture-runtimes/execution-approvals/{executionApprovalState},/engine/cdc-capture-runtimes/execution-approvals/categories/{executionApprovalCategory},/engine/cdc-capture-runtimes/execution-approvals/operations/{operationId},/engine/cdc-capture-runtimes/command-envelopes/{commandState},/engine/cdc-capture-runtimes/command-envelopes/categories/{commandCategory},/engine/cdc-capture-runtimes/command-envelopes/operations/{operationId},/engine/cdc-capture-runtimes/command-issuances/{issuanceState},/engine/cdc-capture-runtimes/command-issuances/categories/{issuanceCategory},/engine/cdc-capture-runtimes/command-issuances/operations/{operationId},/engine/cdc-capture-runtimes/execution-adapters/{executionAdapterState},/engine/cdc-capture-runtimes/execution-adapters/categories/{executionAdapterCategory},/engine/cdc-capture-runtimes/execution-adapters/operations/{operationId},/engine/cdc-capture-runtimes/command-executions/{executionState},/engine/cdc-capture-runtimes/command-executions/operations/{operationId},/engine/cdc-capture-runtimes/{executionRuntimeId}/command-executions,/engine/cdc-capture-runtimes/command-retries/{retryState},/engine/cdc-capture-runtimes/command-retries/categories/{retryCategory},/engine/cdc-capture-runtimes/command-retries/operations/{operationId},POST /engine/cdc-capture-runtimes/{executionRuntimeId}/commands/{operationId}, and/engine/snapshot, hosts can optionally run the shared in-process CDC pump with post-stage provider acknowledgement through/engine/execution-graphs,/engine/hosted-executions, and/engine/runtime-story, the shipped MongoDB change-stream runner plus the shipped SQL Server CDC runner plus the shipped PostgreSQL logical-replication runner plus the shipped MySQL binlog runner plus the shipped Oracle LogMiner runner plus the shipped Debezium managed-connector baseline now prove that additive model across document, relational change-table, relational logical-streaming, relational binlog, relational redo-log, and external managed-connector sources, and later additional provider-specific implementations or alternate execution topologies can build on the same registry instead of inventing a second one
Decision guardrails
Section titled “Decision guardrails”- keep host-specific APIs out of
Cephalon.Abstractions - keep blueprint, transport, and policy selection configuration-driven by default
- keep scaffolding, CLI, and package catalogs aligned with runtime contracts
- prefer benchmark coverage before optimizing or refactoring hot paths blindly
- do not start distributed orchestration before package loading and runtime policy are stable
- prefer one shipped companion proof per infrastructure category until the runtime-neutral contract is proven; for phase 8 messaging that proof is currently
Wolverine, but it remains optional for consumer apps - keep
MassTransitin the tracked-later candidate set until the runtime-neutral eventing contract and the current Wolverine proof are strong enough to justify a second shipped companion adapter - allow consumer-owned infrastructure choices such as
MediatR,LiteBus,NServiceBus, andSlimMessageBus, but do not claim first-class runtime truth for them without an explicit Cephalon bridge or adapter - keep one durable-messaging owner per flow; do not mix Cephalon-managed and third-party durable messaging semantics on the same path